Michal Zalewski reported a number of vulnerabilities in Sqlite3 that are now fixed in version 3.8.9.0. This version has been updated in FreeBSD's ports collection, but the older versions lower that current should be marked as vulnerable. Here is the report: http://seclists.org/fulldisclosure/2015/Apr/31
3.8.9(.0) was recently committed to the Ports tree. Does that resolve this PR?
needs-patch is for someone to write a VuXML entry. Unfortunately, the wording in comment 0's URL cannot be used as is in <blockquote> section. I think, it should be more formal and succint. See how other vulnerabilites are documented. (In reply to Kubilay Kocak from comment #1) No, previous sqlite3 versions are still NOT marked vulnerable and 2015Q2 contains 3.8.8.3.
Hmm, other distributions didn't do better. https://security-tracker.debian.org/tracker/source-package/sqlite3 https://bugzilla.redhat.com/show_bug.cgi?id=1212360 (see blocked bugs) https://bugs.gentoo.org/show_bug.cgi?id=546626
So to clarify, we need: - A VuXML patch for the SA - An MFH of an existing commit, or a new one?
A commit references this bug: Author: jbeich Date: Sat Apr 18 10:17:26 UTC 2015 New revision: 384217 URL: https://svnweb.freebsd.org/changeset/ports/384217 Log: Document sqlite3 multiple vulnerabilites PR: 199483 Changes: head/security/vuxml/vuln.xml
I've added VuXML entry as bad as Debian analog. The upside being lack of bias in the interpretation. Now awaiting MFH approval (via mail).
A commit references this bug: Author: jbeich Date: Fri May 8 18:42:32 UTC 2015 New revision: 385815 URL: https://svnweb.freebsd.org/changeset/ports/385815 Log: VuXML: update sqlite3 entry with verbose descriptions. CVE-2015-341[4-6] PR: 199483 Changes: head/security/vuxml/vuln.xml
Closing per timeout. No approval to MFH ports r384086 received. > From: Jan Beich <jbeich@FreeBSD.org> > To: portmgr@FreeBSD.org, ports-secteam@FreeBSD.org > Subject: MFH request r384086 to 2015Q2 > Date: Sat, 18 Apr 2015 01:46:51 +0200 > Message-ID: <lhhq-nwr8-wny@FreeBSD.org> > > Per bug 199483 I want to backport r384086 (skipping r384095 and r384137) > in order to fix multiple vulnerabilites that lack CVE numbers. [...]
A commit references this bug: Author: jbeich Date: Sat May 9 05:16:55 UTC 2015 New revision: 385863 URL: https://svnweb.freebsd.org/changeset/ports/385863 Log: MFH: r384086 Update to version 3.8.9 Changes: https://sqlite.org/releaselog/3_8_9.html ACC report: http://upstream-tracker.org/compat_reports/sqlite/3080803_to_3080900/abi_compat_report.html PR: 199312 PR: 199313 PR: 199483 Submitted by: Pavel Volkov <pavelivolkov@gmail.com> (maintainer) Approved by: ports-secteam (delphij) Changes: _U branches/2015Q2/ branches/2015Q2/databases/sqlite3/Makefile branches/2015Q2/databases/sqlite3/distinfo branches/2015Q2/databases/tcl-sqlite3/Makefile branches/2015Q2/databases/tcl-sqlite3/distinfo