From owner-svn-src-all@freebsd.org Wed Aug 24 12:55:19 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C86A2BC43B4; Wed, 24 Aug 2016 12:55:19 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 7BAC317D6; Wed, 24 Aug 2016 12:55:19 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id cXi8bs581gdalcXiAboa2f; Wed, 24 Aug 2016 06:55:18 -0600 X-Authority-Analysis: v=2.2 cv=Q++Q2M+a c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=7z1cN_iqozsA:10 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=uJrCp0mhTZ5-IOdZEwUA:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19 a=CjuIK1q_8ugA:10 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTPS id BEA5413752; Wed, 24 Aug 2016 05:55:16 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id u7OCtGK3019972; Wed, 24 Aug 2016 05:55:16 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201608241255.u7OCtGK3019972@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Shawn Webb cc: Cy Schubert , Cy Schubert , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r304747 - in head/contrib/sqlite3: . tea In-Reply-To: Message from Shawn Webb of "Wed, 24 Aug 2016 08:38:11 -0400." <20160824123811.GB74786@mutt-hardenedbsd> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Aug 2016 05:55:16 -0700 X-CMAE-Envelope: MS4wfLnk9+leNXn7K0HeT6Y9gH88HTSnsncPKSBR7DOT9q6i/smZvUXT8MltXDdaWR+ri0WCcSO+IQUmVyn6GMs1U1UHTSr7kM7o2HC0i622ePgACXtVWiSV 1/AMk8k/GLxudy4ChklQHHGMGEC7eoa0MwdNXMGSDz/AMutCkWgtfdDneElNI06CdGuVOxcRFQGEOKvfA4L9SxzRZiwJmf1GdtJYfH5WaYNt1Xb6hIoU9Q4B 9qLO1v4v8oAaRR73C9UF0wx9Wg7cmh1Nsvjr6F7acuq7QDVjuzjiqDeM7wUnvhRDsJLoXcuLvMY778mN48A35A== X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 12:55:19 -0000 In message <20160824123811.GB74786@mutt-hardenedbsd>, Shawn Webb writes: > > > --qcHopEYAB45HaUaB > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Wed, Aug 24, 2016 at 05:35:54AM -0700, Cy Schubert wrote: > > In message <201608241232.u7OCWPsn020853@repo.freebsd.org>, Cy Schubert=20 > > writes: > > > Author: cy > > > Date: Wed Aug 24 12:32:24 2016 > > > New Revision: 304747 > > > URL: https://svnweb.freebsd.org/changeset/base/304747 > > >=20 > > > Log: > > > MFV r304732. > > > =20 > > > Update from sqlite3-3.12.1 (3120100) to sqlite3-3.14.1 (3140100). > > > =20 > > > This commit addresses the tmpdir selection vulnerability fixed in > > > sqlite3-1.13.0. See VuXML entry 546deeea-3fc6-11e6-a671-60a44ce6887b. > > > =20 > > > Security: VuXML 546deeea-3fc6-11e6-a671-60a44ce6887b > > > Security: CVE-2016-6153 > >=20 > > This should probably be MFCed in a week unless re@ wants it sooner of=20 > > course. > > Does this also need a FreeBSD errata notice or security announcement? Not for the upcoming 11.0 release. The 10 branch OTOH appears to have 1.8.14, which is much much older, so I think that we should or at least do a direct commit to simply address the vulnerability. (I haven't looked at whether it would be better to MFC to 10 or direct commit to disturb as little as possible in the 10 brancn.) The 9 branch doesn't include sqlite3. I can prepare an MFC to 11 sooner if wanted. I'll look at the 10 branch at noon my time today. Relnotes for 11 and an errata announcement for 10 would be all that's needed. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.