Date: Wed, 24 Aug 2016 05:55:16 -0700 From: Cy Schubert <Cy.Schubert@komquats.com> To: Shawn Webb <shawn.webb@hardenedbsd.org> Cc: Cy Schubert <Cy.Schubert@komquats.com>, Cy Schubert <cy@FreeBSD.org>, svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r304747 - in head/contrib/sqlite3: . tea Message-ID: <201608241255.u7OCtGK3019972@slippy.cwsent.com> In-Reply-To: Message from Shawn Webb <shawn.webb@hardenedbsd.org> of "Wed, 24 Aug 2016 08:38:11 -0400." <20160824123811.GB74786@mutt-hardenedbsd>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20160824123811.GB74786@mutt-hardenedbsd>, Shawn Webb writes: > > > --qcHopEYAB45HaUaB > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Aug 24, 2016 at 05:35:54AM -0700, Cy Schubert wrote: > > In message <201608241232.u7OCWPsn020853@repo.freebsd.org>, Cy Schubert=20 > > writes: > > > Author: cy > > > Date: Wed Aug 24 12:32:24 2016 > > > New Revision: 304747 > > > URL: https://svnweb.freebsd.org/changeset/base/304747 > > >=20 > > > Log: > > > MFV r304732. > > > =20 > > > Update from sqlite3-3.12.1 (3120100) to sqlite3-3.14.1 (3140100). > > > =20 > > > This commit addresses the tmpdir selection vulnerability fixed in > > > sqlite3-1.13.0. See VuXML entry 546deeea-3fc6-11e6-a671-60a44ce6887b. > > > =20 > > > Security: VuXML 546deeea-3fc6-11e6-a671-60a44ce6887b > > > Security: CVE-2016-6153 > >=20 > > This should probably be MFCed in a week unless re@ wants it sooner of=20 > > course. > > Does this also need a FreeBSD errata notice or security announcement? Not for the upcoming 11.0 release. The 10 branch OTOH appears to have 1.8.14, which is much much older, so I think that we should or at least do a direct commit to simply address the vulnerability. (I haven't looked at whether it would be better to MFC to 10 or direct commit to disturb as little as possible in the 10 brancn.) The 9 branch doesn't include sqlite3. I can prepare an MFC to 11 sooner if wanted. I'll look at the 10 branch at noon my time today. Relnotes for 11 and an errata announcement for 10 would be all that's needed. -- Cheers, Cy Schubert <Cy.Schubert@cschubert.com> FreeBSD UNIX: <cy@FreeBSD.org> Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608241255.u7OCtGK3019972>