Your message dated Mon, 10 Jun 2019 17:04:24 +0000 with message-id <e1hania-0002u0...@fasolo.debian.org> and subject line Bug#928770: fixed in sqlite3 3.27.2-3 has caused the Debian Bug report #928770, regarding sqlite3: CVE-2019-5018: Window Function Remote Code Execution Vulnerability to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 928770: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928770 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: sqlite3 Version: 3.27.2-2 Severity: grave Tags: security Justification: user security hole Hi, The following vulnerability was published for sqlite3. CVE-2019-5018[0]: Window Function Remote Code Execution Vulnerability The issue must have been fixed upstream around 2019-03-28, but no upstream fixing commit is referenced at [1]. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-5018 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5018 [1] https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: sqlite3 Source-Version: 3.27.2-3 We believe that the bug you reported is fixed in the latest version of sqlite3, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 928...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated sqlite3 package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Sat, 01 Jun 2019 15:38:52 +0000 Source: sqlite3 Architecture: source Version: 3.27.2-3 Distribution: unstable Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Closes: 928770 Changes: sqlite3 (3.27.2-3) unstable; urgency=high . * Backport security related patches: - CVE-2019-8457: heap out-of-bound read in the rtreenode() function when handling invalid rtree tables, - prevent aliases of window functions expressions from being used as arguments to aggregate or other window functions (probably fixing CVE-2019-5018) (closes: #928770), - enforce the SQLITE_LIMIT_COLUMN limit on virtual tables (probably fixing most of CVE-2019-5827), - use the 64-bit memory allocator interfaces in extensions, whenever possible (probably additional fix for CVE-2019-5827). Checksums-Sha1: a5c0057fde4e8959024610fe1078740908fceccd 2398 sqlite3_3.27.2-3.dsc feb345f5e9a20730d8839d8d22049b41e8033a26 30372 sqlite3_3.27.2-3.debian.tar.xz 6adc6ddeaf0b145993df10bee55b09842b6db183 9077 sqlite3_3.27.2-3_amd64.buildinfo Checksums-Sha256: 4d8c953891d6268911aa273f8cb7c9e0bdd026c7918f6203fd019d3e16cea1cc 2398 sqlite3_3.27.2-3.dsc 0a95abfc23baa8d0fa2ec7fc6b96f46e34c37f23ff540bc041eff111e6550af9 30372 sqlite3_3.27.2-3.debian.tar.xz 5ffc0b2330dca6617c0cd54497e5a249f71703770f7300fb2355afef7bd9ac66 9077 sqlite3_3.27.2-3_amd64.buildinfo Files: ec0bb67d9c1eef8e8d521bbc62937420 2398 devel optional sqlite3_3.27.2-3.dsc 6320b89221e1b2698af7e8fde62eeb54 30372 devel optional sqlite3_3.27.2-3.debian.tar.xz 7fba009d98e161cbdf195855f00dc565 9077 devel optional sqlite3_3.27.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAlz+iXIACgkQ3OMQ54ZM yL/HFhAApAxscToXYhv5lZlSVBs48VtszkXpcQidxmIWRZwGMGpO8yqUJ9lVXL8q y2Q9Manr4/EsP2IiPdON/qkOUuS47HN0iI47BpXDbAV+7WIZ+IKur5f6RDQFjPlg wowP/8d9HCysdXcvEmdZOxUP4Fkzc8LopndZdqmO78bK4WZZktDnVE7Il1bwTHby BQyK1O8oIKCnhlZ5ibjzcjg57Dov9pA7K1Ww+DikJ2A9wykVf75RdbjZNRA6gd7V QX+ihnfg7ou0+pbdFJdR+SCzGJ9hEfp8s8zD6zqPvmFomvk86Sg0Ru6qwSZhJq0g z85FM4EPSo/zg0yQ/h2fAvSluWYCatxGGIJL27GN/o9mjN5qj7QCiprZAqskHgPG 4vrygsLcfKTLxpjJFodYUjdFwIhB6coup+poC2uAxkK4313H6qcWEKePEgJSTWSN BXn20Ju9MT0mWpiXxCrmurOQsnP5vSLcE9Kop/Id661RG73/wFAqKw6+iJiLEyOD zTQltgY1e8F8b7B5H9qSjcKUsbsVYKpbg5nukp4Iv7cXaTdf8C04ZhEbdE6/ToSA Pc4vxvepv3q4Es8Lkjik7whHE09XGn3he5uVroCkji6DX+zwYuvSAKzhWIHhUYJ/ K6cdQkLxERfgnDyYaiXSBcfAr5fE0FmRqA7H9kUfpVFZbw/BRuE= =k2dL -----END PGP SIGNATURE-----
--- End Message ---
