sqlite is now (as of June 2025) a bundled package that is included in emulators/linux_base-rl9. ports ef45e45f8c0004c4b31301ff8d8c3fe5692f4577 bumped linux_base-rl9 to 9.6_1. In that change, it updated the sqlite version bundled there from 3.34.1-7.el9_3 => 3.34.1-8.el9_6 The 3.34.1-8.el9 package includes a patch to fix CVE-2025-6965. I will attach a patch here to update the vuln entry.
Created attachment 263577 [details] [patch] update vuxml for CVE-2025-6965 (linux_base-rl9 has a fix now) As described in comment 0, emulators/linux_base-rl9 has a fix for CVE-2025-6965 in the bundled upstream sqlite & sqlite-libs packages. I don't know the lower bound for when this vulnerability in sqlite was introduced. So this patch marks linux_base-rl9 < 9.6_1 as vulnerable. But linux_base-rl9 9.5_13 did not bundle sqlite at all, so that version (and earlier) of linux_base-rl9 is not vulnerable. I also marked linux-rl9-sqlite3 as vulnerable. That package is removed in the latest ports tree (again that was in June 2025), but there certainly could be systems in the wild that have that package installed still. As I said, I don't know the lower bound of sqlite regarding this vulnerability, so I marked all linux-rl9-sqlite3 as vulnerable. That is very possibly correct, but if not a future update for this vuln id could narrow the granularity of that markup. At this time the attached patch might be overly wide, but it matches the best information I have been able to determine at this time. The attached patch narrows the vulnerable range for linux_base-rl9 and moves a comment that seems was added in the wrong location (from ports 7296fd2fe2b0415f31fe4b843f05b942ae8f9819).
Add FYI CC for review by last committer for this vuln id.
(In reply to John Hein from comment #0) "ports ef45e45f8c0004c4b31301ff8d8c3fe5692f4577 bumped linux_base-rl9 to 9.6_1" p.s. Note that the commit message for ports ef45e45f8c0004c4b31301ff8d8c3fe5692f4577 said that it is an upstream "reroll". I'm not sure if it is just me, but I think the typical connotation for "reroll" in this context is that the change is a trivial update of a distribution tarball: removed unused files, or changed date stamps on files, or trivial modification to documentation or build process. This update was definitely a functional change, so by that understanding of the term, I would claim it is more than a reroll. In particular, for this sqlite issue, it fixes a vulnerability in the sqlite package. This is just a nit pick comment on that commit log message - this has nothing to do with the vuxml update directly.
Created attachment 263580 [details] [patch] update vuxml for CVE-2025-6965 (linux_base-rl9 has a fix now) [v2] update: I forgot to add linux-rl9-sqlite3 as promised in comment 1. Now added in v2 of the patch.
Committed, Thanks!
A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=ba0e37e3255417721cc1f0061ca2c957a569e6f6 commit ba0e37e3255417721cc1f0061ca2c957a569e6f6 Author: Fernando Apesteguía <fernape@FreeBSD.org> AuthorDate: 2025-09-28 16:03:03 +0000 Commit: Fernando Apesteguía <fernape@FreeBSD.org> CommitDate: 2025-09-28 16:03:03 +0000 security/vuxml: fix SQLite entry Vulnerable version range for sqlite currently bundled in linux_base-rl9 (CVE-2025-6595). PR: 289358 Reported by: jcfyecrayz@liamekaens.com security/vuxml/vuln/2025.xml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)