Your message dated Fri, 07 Sep 2007 16:02:12 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#441233: fixed in sqlite 2.8.17-2.1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sqlite
Version: 2.8.17-2
Severity: grave
Tags: security
Hi,
A CVE was published for sqlite2:
CVE-2007-1888[0]:
Buffer overflow in the sqlite_decode_binary function in src/encode.c in SQLite
2, as used by PHP 4.x through 5.x and other applications, allows
context-dependent attackers to execute arbitrary code via an empty value of the
in parameter. NOTE: some PHP installations use a bundled version of sqlite
without this vulnerability. The SQLite developer has argued that this issue
could be due to a misuse of the sqlite_decode_binary() API.
I already a a fixed package ready so I am going to 0-day NMU this package to fix
this.
Kind regards
Nico
--
Nico Golde - http://ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
pgpWGguEELNnF.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
Source: sqlite
Source-Version: 2.8.17-2.1
We believe that the bug you reported is fixed in the latest version of
sqlite, which is due to be installed in the Debian FTP archive:
libsqlite-tcl_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite-tcl_2.8.17-2.1_i386.deb
libsqlite0-dev_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite0-dev_2.8.17-2.1_i386.deb
libsqlite0_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/libsqlite0_2.8.17-2.1_i386.deb
sqlite-doc_2.8.17-2.1_all.deb
to pool/main/s/sqlite/sqlite-doc_2.8.17-2.1_all.deb
sqlite_2.8.17-2.1.diff.gz
to pool/main/s/sqlite/sqlite_2.8.17-2.1.diff.gz
sqlite_2.8.17-2.1.dsc
to pool/main/s/sqlite/sqlite_2.8.17-2.1.dsc
sqlite_2.8.17-2.1_i386.deb
to pool/main/s/sqlite/sqlite_2.8.17-2.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <[EMAIL PROTECTED]> (supplier of updated sqlite package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 07 Sep 2007 17:47:03 +0200
Source: sqlite
Binary: libsqlite0-dev libsqlite0 sqlite sqlite-doc libsqlite-tcl
Architecture: source i386 all
Version: 2.8.17-2.1
Distribution: unstable
Urgency: high
Maintainer: Laszlo Boszormenyi (GCS) <[EMAIL PROTECTED]>
Changed-By: Nico Golde <[EMAIL PROTECTED]>
Description:
libsqlite-tcl - SQLite TCL bindings
libsqlite0 - SQLite shared library
libsqlite0-dev - SQLite development files
sqlite - command line interface for SQLite
sqlite-doc - SQLite documentation
Closes: 441233
Changes:
sqlite (2.8.17-2.1) unstable; urgency=high
.
* Non-maintainer upload by testing security team.
* Included 01-fix-CVE-2007-1888.patch to fix buffer overflow
in encode.c (CVE-2007-1888) (Closes: #441233).
Files:
7510d0500724537dc1f19ad8b023f8a5 745 devel optional sqlite_2.8.17-2.1.dsc
2865f785eb24c5ef2da2e4d9164d1195 213866 devel optional
sqlite_2.8.17-2.1.diff.gz
1642e377e97ccc010d9abf44b42b5066 167208 doc optional
sqlite-doc_2.8.17-2.1_all.deb
eabe5d0bbc4bc53269dd8f6b316d7526 20844 misc optional sqlite_2.8.17-2.1_i386.deb
a5656144a7c94143529c59031a832568 180106 libs optional
libsqlite0_2.8.17-2.1_i386.deb
aa26f2c8a05e757943248e1ffdff3ec5 208948 libdevel optional
libsqlite0-dev_2.8.17-2.1_i386.deb
f7a4a1123444879f7608ff68f45c71f6 13232 interpreters optional
libsqlite-tcl_2.8.17-2.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG4XSvHYflSXNkfP8RAke5AJ9j+qk7CGHeQNKQSdJxF8Bg0HVUOACgmcOR
Uyha/22S58zHpm0XP8GZMBg=
=lPg/
-----END PGP SIGNATURE-----
--- End Message ---
