Debian Bug report logs -
#951835
sqlite3: CVE-2020-9327
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 22 Feb 2020 09:39:04 UTC
Severity: important
Tags: security, upstream
Found in version sqlite3/3.31.1-2
Fixed in version sqlite3/3.31.1-3
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>:
Bug#951835; Package src:sqlite3.
(Sat, 22 Feb 2020 09:39:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Laszlo Boszormenyi (GCS) <gcs@debian.org>.
(Sat, 22 Feb 2020 09:39:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Version: 3.31.1-2
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for sqlite3.
CVE-2020-9327[0]:
| In SQLite 3.31.1, isAuxiliaryVtabOperator allows attackers to trigger
| a NULL pointer dereference and segmentation fault because of generated
| column optimizations.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-9327
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9327
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Laszlo Boszormenyi (GCS) <gcs@debian.org>:
You have taken responsibility.
(Sat, 22 Feb 2020 12:12:30 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 22 Feb 2020 12:12:30 GMT) (full text, mbox, link).
Message #10 received at 951835-close@bugs.debian.org (full text, mbox, reply):
Source: sqlite3
Source-Version: 3.31.1-3
Done: Laszlo Boszormenyi (GCS) <gcs@debian.org>
We believe that the bug you reported is fixed in the latest version of
sqlite3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 951835@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Laszlo Boszormenyi (GCS) <gcs@debian.org> (supplier of updated sqlite3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 22 Feb 2020 10:43:26 +0000
Source: sqlite3
Architecture: source
Version: 3.31.1-3
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Changed-By: Laszlo Boszormenyi (GCS) <gcs@debian.org>
Closes: 861670 951835
Changes:
sqlite3 (3.31.1-3) unstable; urgency=high
.
* Backport upstream security fixes for CVE-2020-9327: segmentation fault in
isAuxiliaryVtabOperator() (closes: #951835).
.
[ Kari Pahula <kaol@debian.org> ]
* Provide sqldiff.1 manpage (closes: #861670).
Checksums-Sha1:
2a7864711a5894f91bffce719ac91b84602b0445 2404 sqlite3_3.31.1-3.dsc
74eaef70214e6879932eb17310b83af5a5787f14 24920 sqlite3_3.31.1-3.debian.tar.xz
Checksums-Sha256:
7d16c28595f8f1c7b478e77dbbdf3b65cc66a50be8333e47533d9c702f12cc28 2404 sqlite3_3.31.1-3.dsc
01d8e3fa88c420d869d1cfab833e7824726e1003cf56904d77bf4586620cceaa 24920 sqlite3_3.31.1-3.debian.tar.xz
Files:
9429a3d13f8dd469529dbf03f8d21272 2404 devel optional sqlite3_3.31.1-3.dsc
2a6112628b0bacc8e1cb90e03294ad1c 24920 devel optional sqlite3_3.31.1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl5RE2YACgkQ3OMQ54ZM
yL/FBRAAhNaxyu9zR98fjgRHvRTLy75Q7cRsuhYvkFCaOH3jjC5U19Ni3cWOpUhK
Lq2ZSiRgq94uR5E4d6dmShg6w+OMwEPtjPkIQEvBTps90+2YYz0pm8Cm2q8AeKW8
LKOZehSKM452gam3T4maisvITSHXWQXwcQRll+I8pJpe6Jj5D0QHZhX+Od6sJNwx
knmG0AIRcqzEVKOFEBQzv5l4xfIAeA0KRpd+HFDTZMv+vK4gpaoxdH5ioek/fjzc
OX1sz1tcH3FKyAFZ6fJIwpF7JbsIPF8H1oxL7wFIv7ZQRPtFQ8Z9G4x1EqbGVg/r
h9dw/IZzpVwfUDyy6A5iPXwNC34wph8IVbh/RwC9pkBJ+f/NdzfB/wcfgXFGyzYY
3MbwcEYObwSfWCsGo98CzYANhtT53JqOLeNz7xwSAZBEXZZTIBpRY655TG7tIEms
SlY/yzvthiSTWJvTgZRrMuD/cdMncN5qfGCe1c0cANMRF/raY4VrncosmyLJwaRA
k2ccQzJbOzYwSxQbRENKLBEP3QNSOVv9TAFoOeFaL67zT7jxwvhoQpam+y0qx9n3
fcEwnuDninMyzX6ZOixHBbunFAR6Xd1JGjXUQKqbeRi/Es1I/dX0/m6kvJO62ybI
hD+erpWpf/m2pybH/wnt5hE72LD3/AmKPpfPKTd3MkDdfxRaG/U=
=OIHN
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 22 16:42:45 2020;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon