From owner-svn-src-all@freebsd.org Wed Aug 24 19:10:34 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A107DBC5AD1; Wed, 24 Aug 2016 19:10:34 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from smtp-out-so.shaw.ca (smtp-out-so.shaw.ca [64.59.136.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 35FEA158A; Wed, 24 Aug 2016 19:10:33 +0000 (UTC) (envelope-from cy.schubert@komquats.com) Received: from spqr.komquats.com ([96.50.22.10]) by shaw.ca with SMTP id cdZAbuLJtgdalcdZBbqDTi; Wed, 24 Aug 2016 13:10:27 -0600 X-Authority-Analysis: v=2.2 cv=Q++Q2M+a c=1 sm=1 tr=0 a=jvE2nwUzI0ECrNeyr98KWA==:117 a=jvE2nwUzI0ECrNeyr98KWA==:17 a=L9H7d07YOLsA:10 a=9cW_t1CCXrUA:10 a=s5jvgZ67dGcA:10 a=7z1cN_iqozsA:10 a=VxmjJ2MpAAAA:8 a=6I5d2MoRAAAA:8 a=YxBL1-UpAAAA:8 a=MEJGZkgKfvo3DnF4MrsA:9 a=7Zwj6sZBwVKJAoWSPKxL6X1jA+E=:19 a=CjuIK1q_8ugA:10 a=7gXAzLPJhVmCkEl4_tsf:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 Received: from slippy.cwsent.com (slippy8 [10.2.2.6]) by spqr.komquats.com (Postfix) with ESMTPS id 419E113794; Wed, 24 Aug 2016 12:10:24 -0700 (PDT) Received: from slippy (localhost [127.0.0.1]) by slippy.cwsent.com (8.15.2/8.15.2) with ESMTP id u7OJA7dH012503; Wed, 24 Aug 2016 12:10:08 -0700 (PDT) (envelope-from Cy.Schubert@cschubert.com) Message-Id: <201608241910.u7OJA7dH012503@slippy.cwsent.com> X-Mailer: exmh version 2.8.0 04/21/2012 with nmh-1.6 Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: Cy Schubert cc: Shawn Webb , Cy Schubert , svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org, re@freebsd.org, so@freebsd.org Subject: Re: svn commit: r304747 - in head/contrib/sqlite3: . tea In-Reply-To: Message from Cy Schubert of "Wed, 24 Aug 2016 05:55:16 -0700." <201608241255.u7OCtGK3019972@slippy.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 24 Aug 2016 12:10:07 -0700 X-CMAE-Envelope: MS4wfKyRKphVMjM+ZNfb25Clxp/CCNXrOIeCCVgN8n8JCnrB13ABFPAhSoI2W6jFYm4f0UILfNAYKuNZk7SC/vF/6iFZUNg0eI9RhQpAl0lmjplwgjxjQARX uzJOFv/s9Xd+sYUdcUOqYAT+V3lJ0zZS4kDGLCLysOQtNl+nRFniKKnzh/biI8mIXO5FsVE2I7SwQBUbPPRMPQKnpL6ZqY7Qq2IxPK/EG5zF4Lh2+wC2tqAl hAC6n00G8jUBb15bxH2X3gEVjxKY1vUnzuGgLl8lz9b/0yN2VoB22pSX2T6qePcNkwZSukOYJvDqmEijlXnO9A9ghXADaxKqm78N9UUFMzULcU3JvEh0QQjH K7uucFvYaLCs+tRq8v3JRoCVCj97Vw== X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Aug 2016 19:10:34 -0000 In message <201608241255.u7OCtGK3019972@slippy.cwsent.com>, Cy Schubert writes: > In message <20160824123811.GB74786@mutt-hardenedbsd>, Shawn Webb writes: > > > > > > --qcHopEYAB45HaUaB > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > Content-Transfer-Encoding: quoted-printable > > > > On Wed, Aug 24, 2016 at 05:35:54AM -0700, Cy Schubert wrote: > > > In message <201608241232.u7OCWPsn020853@repo.freebsd.org>, Cy Schubert=20 > > > writes: > > > > Author: cy > > > > Date: Wed Aug 24 12:32:24 2016 > > > > New Revision: 304747 > > > > URL: https://svnweb.freebsd.org/changeset/base/304747 > > > >=20 > > > > Log: > > > > MFV r304732. > > > > =20 > > > > Update from sqlite3-3.12.1 (3120100) to sqlite3-3.14.1 (3140100). > > > > =20 > > > > This commit addresses the tmpdir selection vulnerability fixed in > > > > sqlite3-1.13.0. See VuXML entry 546deeea-3fc6-11e6-a671-60a44ce6887b > . > > > > =20 > > > > Security: VuXML 546deeea-3fc6-11e6-a671-60a44ce6887b > > > > Security: CVE-2016-6153 > > >=20 > > > This should probably be MFCed in a week unless re@ wants it sooner of=20 > > > course. > > > > Does this also need a FreeBSD errata notice or security announcement? > > Not for the upcoming 11.0 release. The 10 branch OTOH appears to have > 1.8.14, which is much much older, so I think that we should or at least do > a direct commit to simply address the vulnerability. (I haven't looked at > whether it would be better to MFC to 10 or direct commit to disturb as > little as possible in the 10 brancn.) The 9 branch doesn't include sqlite3. > > I can prepare an MFC to 11 sooner if wanted. I'll look at the 10 branch at > noon my time today. Relnotes for 11 and an errata announcement for 10 would > be all that's needed. Reading email from this morning, looks like an errata notification will also need to be made for 11.0 when it is released. -- Cheers, Cy Schubert FreeBSD UNIX: Web: http://www.FreeBSD.org The need of the many outweighs the greed of the few.