Date: Wed, 24 Aug 2016 12:10:07 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Cy Schubert <Cy.Schubert@komquats.com> Cc: Shawn Webb <shawn.webb@hardenedbsd.org>, Cy Schubert <cy@FreeBSD.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, re@freebsd.org, so@freebsd.org Subject: Re: svn commit: r304747 - in head/contrib/sqlite3: . tea Message-ID: <201608241910.u7OJA7dH012503@slippy.cwsent.com> In-Reply-To: Message from Cy Schubert <Cy.Schubert@komquats.com> of "Wed, 24 Aug 2016 05:55:16 -0700." <201608241255.u7OCtGK3019972@slippy.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <201608241255.u7OCtGK3019972@slippy.cwsent.com>, Cy Schubert writes: > In message <20160824123811.GB74786@mutt-hardenedbsd>, Shawn Webb writes: > > > > > > --qcHopEYAB45HaUaB > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > Content-Transfer-Encoding: quoted-printable > > > > On Wed, Aug 24, 2016 at 05:35:54AM -0700, Cy Schubert wrote: > > > In message <201608241232.u7OCWPsn020853@repo.freebsd.org>, Cy Schubert=20 > > > writes: > > > > Author: cy > > > > Date: Wed Aug 24 12:32:24 2016 > > > > New Revision: 304747 > > > > URL: https://svnweb.freebsd.org/changeset/base/304747 > > > >=20 > > > > Log: > > > > MFV r304732. > > > > =20 > > > > Update from sqlite3-3.12.1 (3120100) to sqlite3-3.14.1 (3140100). > > > > =20 > > > > This commit addresses the tmpdir selection vulnerability fixed in > > > > sqlite3-1.13.0. See VuXML entry 546deeea-3fc6-11e6-a671-60a44ce6887b > . > > > > =20 > > > > Security: VuXML 546deeea-3fc6-11e6-a671-60a44ce6887b > > > > Security: CVE-2016-6153 > > >=20 > > > This should probably be MFCed in a week unless re@ wants it sooner of=20 > > > course. > > > > Does this also need a FreeBSD errata notice or security announcement? > > Not for the upcoming 11.0 release. The 10 branch OTOH appears to have > 1.8.14, which is much much older, so I think that we should or at least do > a direct commit to simply address the vulnerability. (I haven't looked at > whether it would be better to MFC to 10 or direct commit to disturb as > little as possible in the 10 brancn.) The 9 branch doesn't include sqlite3. > > I can prepare an MFC to 11 sooner if wanted. I'll look at the 10 branch at > noon my time today. Relnotes for 11 and an errata announcement for 10 would > be all that's needed. Reading email from this morning, looks like an errata notification will also need to be made for 11.0 when it is released. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608241910.u7OJA7dH012503>