From owner-freebsd-security@freebsd.org  Sun Dec 16 16:14:08 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0A5131330F07;
 Sun, 16 Dec 2018 16:14:08 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 46E8C8D443;
 Sun, 16 Dec 2018 16:14:07 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 601D4661BE;
 Sun, 16 Dec 2018 08:13:59 -0800 (PST)
Date: Sun, 16 Dec 2018 08:13:59 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: freebsd-security@freebsd.org
cc: ports-secteam@FreeBSD.org
Subject: SQLite vulnerability
Message-ID: <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com>
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset=US-ASCII
X-Rspamd-Queue-Id: 46E8C8D443
X-Spamd-Bar: +++
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [3.74 / 15.00]; ARC_NA(0.00)[];
 FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 NEURAL_SPAM_SHORT(0.95)[0.949,0]; MIME_GOOD(-0.10)[text/plain];
 TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[roble.com]; AUTH_NA(1.00)[];
 NEURAL_SPAM_MEDIUM(0.97)[0.965,0]; RCVD_TLS_LAST(0.00)[];
 MX_GOOD(-0.01)[mx4.roble.com,mx7.roble.com];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_SPAM_LONG(0.96)[0.956,0];
 R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[];
 MIME_TRACE(0.00)[0:+];
 ASN(0.00)[asn:17403, ipnet:209.237.0.0/18, country:US];
 FORGED_RECIPIENTS(0.00)[freebsd-security@freebsd.org
 ..,freebsd-security@freebsd.org ...]; 
 IP_SCORE(-0.02)[country: US(-0.08)]; RCVD_COUNT_TWO(0.00)[2]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Dec 2018 16:14:08 -0000

Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
over the news for a week now.  It is patched on all Linux platforms but
has not yet shown up in FreeBSD's vulxml database.  Does this mean:

  A) FreeBSD versions prior to 3.26.0 are not vulnerable, or

  B) the ports-secteam is not able to properly maintain the vulnerability
  database?

If the latter perhaps someone from the security team could let us know
how such a significant vulnerability could go unflagged for so long and,
more importantly, what might be done to address the gap in reporting?

Roger Marquis