SUSE has issued an advisory on May 2: http://lists.suse.com/pipermail/sle-security-updates/2019-May/005419.html The issues are fixed upstream in 3.28.0.
Assigning to our registered sqlite3 maintainer.
Assignee: bugsquad => shlomifCC: (none) => marja11
Ubuntu advisory from June 3, with another issue fixed in sqlite3 3.28.0: https://usn.ubuntu.com/4004-1/
Summary: sqlite3 new security issues CVE-2019-9936 and CVE-2019-9937 => sqlite3 new security issues CVE-2019-8457, CVE-2019-9936, and CVE-2019-9937
Ubuntu advisory for the sqlite3 package itself from June 19: https://usn.ubuntu.com/4019-1/
Updated package uploaded by Shlomi. Advisory: ======================== Updated sqlite3 packages fix security vulnerabilities: It was discovered that SQLite incorrectly handled certain inputs. An attacker could possibly use this issue to access sensitive information (CVE-2019-8457). It was discovered that SQLite incorrectly handled certain queries. An attacker could possibly use this issue to access sensitive information (CVE-2019-9936). It was discovered that SQLite incorrectly handled certain inputs. An attacker could possibly use this issue to cause a crash or execute arbitrary code (CVE-2019-9937). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9936 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9937 https://usn.ubuntu.com/4019-1/ ======================== Updated packages in core/updates_testing: ======================== libsqlite3_0-3.28.0-1.mga6 libsqlite3-devel-3.28.0-1.mga6 libsqlite3-static-devel-3.28.0-1.mga6 sqlite3-tools-3.28.0-1.mga6 lemon-3.28.0-1.mga6 sqlite3-tcl-3.28.0-1.mga6 from sqlite3-3.28.0-1.mga6.src.rpm
Assignee: shlomif => qa-bugsCC: (none) => shlomif
Blocks: (none) => 25359
on mga6-64 packages installed cleanly: sqlite3-tools-3.28.0-1.mga6.x86_64 lib64sqlite3_0-3.28.0-1.mga6.x86_64 Using the test file and following the procedure in bug 21200 $ sqlite3 testlite.db SQLite version 3.28.0 2019-04-16 19:49:53 Enter ".help" for usage hints. sqlite> .databases main: /home/jim/testlite.db sqlite> .tables sqlite> .quit $ sqlite3 testlite.db < create.sql $ sqlite3 testlite.db SQLite version 3.28.0 2019-04-16 19:49:53 Enter ".help" for usage hints. sqlite> select * from events; 2019-09-02 14:19:41|First test event 2019-09-02 14:19:41|Second test event sqlite> .quit looks OK for mga6-64
Whiteboard: (none) => MGA6-64-OKCC: (none) => jim
On mga6-32 in a vbox VM packages installed cleanly: sqlite3-tools-3.28.0-1.mga6.i586 libsqlite3_0-3.28.0-1.mga6.i586 Using the test file and following the procedure in bug 21200 $ sqlite3 testlite.db SQLite version 3.28.0 2019-04-16 19:49:53 Enter ".help" for usage hints. sqlite> .databases main: /home/jim/testlite.db sqlite> .tables sqlite> .quit $ sqlite3 testlite.db < create.sql $ sqlite3 testlite.db SQLite version 3.28.0 2019-04-16 19:49:53 Enter ".help" for usage hints. sqlite> select * from events; 2019-09-03 20:38:38|First test event 2019-09-03 20:38:38|Second test event sqlite> .quit $ OK for ma6-32
Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK
Updated validated. Advisory in comment 4 needs to be uploaded.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0240.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED