HQbird: Advanced FirebirdSQL

HQbird 2024R2 Update 11

Release focus: Security patches for Firebird 2.5, new encryption plugin capabilities, FBDataGuard improvements, and general stability fixes.

SECURITY ALERTS

Firebird 2.5 — Critical Vulnerabilities Fixed

ACTION REQUIRED for all Firebird 2.5 users.

Firebird 2.5 vanilla reached end-of-life in 2019 and no longer receives upstream security updates. This release of HQbird backports fixes for several serious vulnerabilities recently discovered and already patched in Firebird 3.0, 4.0, and 5.0.

• CVE-2026-28212 — Fixed in HQbird Firebird 2.5.27192
• CVE-2025-54989 — Fixed in HQbird Firebird 2.5.27192
• CVE-2026-33337 — Fixed in HQbird Firebird 2.5.27192
• CVE-2026-35215 — Fixed in HQbird Firebird 2.5.27192
• CVE-2025-65104 — Fixed (client-only issue: fbclient.dll connecting to Firebird 4+)
• CVE-2026-40342 — Not applicable, does not exist in Firebird 2.5

Recommendation: Upgrade all existing Firebird 2.5 installations to the latest HQbird Firebird 2.5 immediately.

Firebird 3.0 / 4.0 / 5.0 — Use Latest Versions

The vulnerabilities listed above also affect Firebird 3.0, 4.0, and 5.0. They have been addressed in the following upstream vanilla releases:

• Firebird 3.0.14
• Firebird 4.0.7
• Firebird 5.0.4

For HQbird users, the recommended versions included in this release (2024 R2 Update 11) are:

• Firebird 5.0 — recommended build: 5.0.5.xxx
• Firebird 4.0 — recommended build: 4.0.8.xxx
• Firebird 3.0 — recommended build: 3.0.15.xxx

FIREBIRD 5 — IMPORTANT BUG FIX

The QA team identified a significant, long-standing bug affecting the optimization of complex queries with many LEFT JOIN clauses. This has been fixed in the Firebird 5 build included in this HQbird release.

Details: https://github.com/IBSurgeon/hqbird/commit/2f91fa002ff29d95eb0238666270928b575d568f/

ENCRYPTION PLUGIN IMPROVEMENTS

KeyHolderStdin support has been added for Firebird 4. This capability was previously available only in Firebird 5 (Firebird 3 uses a different mechanism). With this update, Firebird 4 users can now pass encryption passwords via stdin, enabling secure use of command-line tools without saving passwords to disk.

Tools covered: gfix, gbak, nbackup.

It is no longer necessary to use KeyHolder.conf password storage, even during development and debugging.

Installation:

• Vanilla HQbird users: An updated installation script (downloads and installs the encryption plugin on Windows) is available at: https://github.com/IBSurgeon/FirebirdEncryptionPluginInstall
• HQbird licensed users: Included directly in the HQbird installer.

SILENT MODE INSTALLATION (WINDOWS)

Several improvements have been made to the Windows silent installation process to provide a more flexible and configurable installation experience.

HQBIRD FBDATAGUARD CHANGES

Improvements

• Adjusted default additional parameters for reinitialization.
• Replication configuration generation: removed all configuration keys with empty values; removed elements irrelevant to the node's role (parameters retained in settings after switching master/replica roles, or after version upgrades from 2/3 to 4/5).
• Enforced UTF-8 encoding for database connections (restores previously existing behavior).
• Upgraded to Jaybird 5.12.
• Fixed connection string generation when working with a custom list of authorization plugins.
• Added a uniqueness check and requirement for the registration name entered for databases.

Access Rights Separation for Guest user

A new access rights separation mechanism has been implemented for admin and guest users.

Default guest credentials (changed):
access.guest-login = viewer
access.guest-password = password4viewer

Guest user restrictions:

• Cannot run on-demand tasks (shows an "Access denied" dialog).
• Cannot perform reinitialization.
• Cannot manage trace sessions, speed tests, or change passwords.

Additional notes:

• Passwords can only be changed by manually editing the file: \HQBirdData\config\access.properties
• If access.guest-password is left empty, login via the guest account is blocked entirely.
• Uniqueness of admin and guest usernames is not validated.

Bug Fixes

• Fixed several issues in error handling for insufficient filesystem permissions.
• Added additional logging and error notifications in the VSS request handler.
• Adjusted default configurations to match the new default passwords for file transfer tasks (port: 8722 / user: socketuser / strong password).
• Fixed an occasional false-critical notification for databases in the state "all tasks temporarily disabled".