On Sat, 4 May 2019 20:28:09 +0200 Helmut Grohne <hel...@subdivi.de> wrote:
I noticed that db5.3 builds an embedded copy of sqlite3, but it isn't
documented in the security tracker. This is troubling. Embedded code
copies are discouraged by the debian policy and sqlite3 has a history of
(few) vulnerabilities with CVEs. Please do one of the following:
A. Stop using the embedded sqlite3 in favour of the packaged one.
(preferred)
B. Register your copy with the security tracker. Thus security updates
of sqlite3 can include an upload of db5.3.
A quick glance suggests that A is impossible, because db5.3 uses a
modified copy (see lang/sql/README). If that assessment is correct,
you'll have to update
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
and add a line below "sqlite3" stating:
- db5.3 <unfixed> (modified-embed)
This causes CVE-2019-8457 not to be fixed in db5.3. Ubuntu has a patch.
