On Fri, 10 May 2019 21:04:33 +0200 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: sqlite3 > Version: 3.27.2-2 > Severity: grave > Tags: security > Justification: user security hole > > Hi, > > The following vulnerability was published for sqlite3. > > CVE-2019-5018[0]: > Window Function Remote Code Execution Vulnerability > > The issue must have been fixed upstream around 2019-03-28, but no > upstream fixing commit is referenced at [1]. >
Could this be that commit? I have not checked thoroughly only looked at the commit message. "Prevent aliases of window functions expressions from being used as arguments to aggregate or other window functions." https://sqlite.org/src/info/1e16d3e8fc60d39c > If you fix the vulnerability please also make sure to include the > CVE (Common Vulnerabilities & Exposures) id in your changelog entry. > > For further information see: > > [0] https://security-tracker.debian.org/tracker/CVE-2019-5018 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018 > [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777 > > Regards, > Salvatore > >
signature.asc
Description: OpenPGP digital signature
