SUSE has issued an advisory on December 21: https://lists.suse.com/pipermail/sle-security-updates/2022-December/013303.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
It seems these packages are mofified: libsqlite3-0 >= 3.39.3-150000.3.20.1 libsqlite3-0-32bit >= 3.39.3-150000.3.20.1 sqlite3 >= 3.39.3-150000.3.20.1 sqlite3-devel >= 3.39.3-150000.3.20.1 sqlite3-tcl >= 3.39.3-150000.3.20.1 Following the advisory links, I could not arrive nearer to the patch than: SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-4603=1 SUSE Linux Enterprise Server 12-SP5: zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-4603=1 Stig is the main committer for sqlite3 version updates, so assigning to you. This looks more complicated.
Assignee: bugsquad => smelror
openSUSE has issued an advisory for this today (December 28): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XNUCFJDJQRYX6KHGSM7ODVW7QJMN7GP5/
Hi, For Cauldron, sqlite3-3.40.1-1.mga9 solves that issue. Best regards, Nico.
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8CC: (none) => nicolas.salguero
Suggested advisory: ======================== The updated packages fix a security vulnerability: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE. (CVE-2022-46908) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-46908 https://lists.suse.com/pipermail/sle-security-updates/2022-December/013303.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/XNUCFJDJQRYX6KHGSM7ODVW7QJMN7GP5/ ======================== Updated packages in core/updates_testing: ======================== lemon-3.39.2-1.1.mga8 lib(64)sqlite3_0-3.39.2-1.1.mga8 lib(64)sqlite3-devel-3.39.2-1.1.mga8 lib(64)sqlite3-static-devel-3.39.2-1.1.mga8 sqlite3-tcl-3.39.2-1.1.mga8 sqlite3-tools-3.39.2-1.1.mga8 from SRPM: sqlite3-3.39.2-1.1.mga8.src.rpm
Assignee: smelror => qa-bugsStatus: NEW => ASSIGNEDSource RPM: sqlite3-3.40.0-1.mga9.src.rpm => sqlite3-3.39.2-1.mga8.src.rpmCVE: (none) => CVE-2022-46908
MGA8-64 MATE on Acer Aspire 5253 No installation issues. As in bug 30660, used sqlitestudio to delete existing database, created a new database and create a new table in it with a PK, not null string, other string without rules and a timestamp column. Populated a few rows, all worked OK.
CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK
Validating. Advisory in Comment 4.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0094.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED