Bug 24750 - sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937
Summary: sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-03 20:35 CEST by David Walser
Modified: 2019-08-12 15:35 CEST (History)
2 users (show)

See Also:
Source RPM: sqlite3-3.25.3-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-05-03 20:35:09 CEST
SUSE has issued an advisory on May 2:
http://lists.suse.com/pipermail/sle-security-updates/2019-May/005419.html

The issues are fixed upstream in 3.28.0.
Comment 1 Marja Van Waes 2019-05-03 21:11:04 CEST
Assigning to our registered sqlite3 maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 David Walser 2019-08-11 22:07:05 CEST
Ubuntu advisory from June 3, with another issue fixed in sqlite3 3.28.0:
https://usn.ubuntu.com/4004-1/

Summary: sqlite3 new security issues CVE-2019-9936 and CVE-2019-9937 => sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937

Comment 3 David Walser 2019-08-11 22:55:07 CEST
Ubuntu advisory for the sqlite3 package itself from June 19:
https://usn.ubuntu.com/4019-1/
Comment 4 David Walser 2019-08-12 15:35:52 CEST
Updated package uploaded by Shlomi.

Advisory:
========================

Updated sqlite3 packages fix security vulnerabilities:

It was discovered that SQLite incorrectly handled certain inputs. An attacker
could possibly use this issue to access sensitive information (CVE-2019-8457).

It was discovered that SQLite incorrectly handled certain queries. An attacker
could possibly use this issue to access sensitive information (CVE-2019-9936).

It was discovered that SQLite incorrectly handled certain inputs. An attacker
could possibly use this issue to cause a crash or execute arbitrary code
(CVE-2019-9937).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937
https://usn.ubuntu.com/4019-1/
========================

Updated packages in core/updates_testing:
========================
libsqlite3_0-3.28.0-1.mga6
libsqlite3-devel-3.28.0-1.mga6
libsqlite3-static-devel-3.28.0-1.mga6
sqlite3-tools-3.28.0-1.mga6
lemon-3.28.0-1.mga6
sqlite3-tcl-3.28.0-1.mga6

from sqlite3-3.28.0-1.mga6.src.rpm

CC: (none) => shlomif
Assignee: shlomif => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.