The chromium update from April 18 also includes an sqlite security fix: https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html
Whiteboard: (none) => MGA8TOO
Assigning to Stig, the current packager looking after sqlite3.
Assignee: bugsquad => smelror
Ubuntu has issued an advisory on January 3: https://ubuntu.com/security/notices/USN-6566-1
CC: (none) => nicolas.salgueroSummary: sqlite3 new security issue CVE-2023-2137 => sqlite3 new security issues CVE-2023-2137 and CVE-2023-7104CVE: (none) => CVE-2023-2137, CVE-2023-7104Severity: normal => criticalWhiteboard: MGA8TOO => MGA9TOO
Suggested advisory: ======================== The updated packages fix security vulnerabilities: Heap buffer overflow in sqlite. (CVE-2023-2137) A vulnerability was found in SQLite SQLite3 up to 3.43.0 and classified as critical. This issue affects the function sessionReadRecord of the file ext/session/sqlite3session.c of the component make alltest Handler. The manipulation leads to heap-based buffer overflow. (CVE-2023-7104) References: https://chromereleases.googleblog.com/2023/04/stable-channel-update-for-desktop_18.html https://ubuntu.com/security/notices/USN-6566-1 ======================== Updated packages in core/updates_testing: ======================== lemon-3.40.1-1.1.mga9 lib(64)sqlite3_0-3.40.1-1.1.mga9 lib(64)sqlite3-devel-3.40.1-1.1.mga9 lib(64)sqlite3-static-devel-3.40.1-1.1.mga9 sqlite3-tcl-3.40.1-1.1.mga9 sqlite3-tools-3.40.1-1.1.mga9 from SRPM: sqlite3-3.40.1-1.1.mga9.src.rpm
Assignee: smelror => qa-bugsWhiteboard: MGA9TOO => (none)Version: Cauldron => 9Status: NEW => ASSIGNED
CC: (none) => mageia
Keywords: (none) => advisory
CC: (none) => herman.viaene
Herman Viaene can you please do the same test that in previous rounds? Thank you
CC: (none) => andrewsfarm
RH mageia 9 x86_64 Install all the packages, uninstall devel and extra packages, keep the updated lib64sqlite3_0 LC_ALL=C urpmi /home/katnatek/qa-testing/x86_64/*.rpm installing lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64.rpm sqlite3-tools-3.40.1-1.1.mga9.x86_64.rpm lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64.rpm lib64sqlite3_0-3.40.1-1.1.mga9.x86_64.rpm sqlite3-tcl-3.40.1-1.1.mga9.x86_64.rpm lemon-3.40.1-1.1.mga9.x86_64.rpm from /home/katnatek/qa-testing/x86_64 Preparing... ###################################################################################### 1/6: lib64sqlite3_0 ###################################################################################### 2/6: sqlite3-tools ###################################################################################### 3/6: lib64sqlite3-devel ###################################################################################### 4/6: lib64sqlite3-static-devel ###################################################################################### 5/6: sqlite3-tcl ###################################################################################### 6/6: lemon ###################################################################################### 1/1: removing lib64sqlite3_0-3.40.1-1.mga9.x86_64 ###################################################################################### urpme $(rpm -qa|grep sqlite3|grep devel) lemon quitando lemon-3.40.1-1.1.mga9.x86_64 lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64 lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64 quitando paquete lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64 1/3: quitando lib64sqlite3-static-devel-3.40.1-1.1.mga9.x86_64 ###################################################################################### quitando paquete lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64 2/3: quitando lib64sqlite3-devel-3.40.1-1.1.mga9.x86_64 ###################################################################################### quitando paquete lemon-3.40.1-1.1.mga9.x86_64 3/3: quitando lemon-3.40.1-1.1.mga9.x86_64 ###################################################################################### LC_ALL=C urpme sqlite3-tools sqlite3-tcl removing sqlite3-tcl-3.40.1-1.1.mga9.x86_64 sqlite3-tools-3.40.1-1.1.mga9.x86_64 removing package sqlite3-tcl-3.40.1-1.1.mga9.x86_64 1/2: removing sqlite3-tcl-3.40.1-1.1.mga9.x86_64 ###################################################################################### removing package sqlite3-tools-3.40.1-1.1.mga9.x86_64 2/2: removing sqlite3-tools-3.40.1-1.1.mga9.x86_64 ######################################################################################
@Comment 4: your wish is my command. Installed sqlitestudio and repeated test as in bug 31312 : table with autoincrement primary key, unique text field, other text field without rules and a timestamp. Works OK.
Whiteboard: (none) => MGA9-64-OK
Herman test (thank you for that) was enough in previous rounds
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0073.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED