Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 Dec 2018 08:44:35 +0000
From:      Brooks Davis <brooks@freebsd.org>
To:        Roger Marquis <marquis@roble.com>
Cc:        freebsd-security@freebsd.org, ports-secteam@FreeBSD.org
Subject:   Re: SQLite vulnerability
Message-ID:  <20181217084435.GC4757@spindle.one-eyed-alien.net>
In-Reply-To: <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com>
References:  <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now.  It is patched on all Linux platforms but
> has not yet shown up in FreeBSD's vulxml database.  Does this mean:
>=20
>   A) FreeBSD versions prior to 3.26.0 are not vulnerable, or
>=20
>   B) the ports-secteam is not able to properly maintain the vulnerability
>   database?
>=20
> If the latter perhaps someone from the security team could let us know
> how such a significant vulnerability could go unflagged for so long and,
> more importantly, what might be done to address the gap in reporting?

Almost certainly:

  C) This vunerability was reported in a random blog post on a Sunday
  without any details so people haven't caught up with it yet.

-- Brooks

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJcF2HzAAoJEKzQXbSebgfAvfAIAKFQRE9A2G3nfwVqRjz0ZwzI
cDOXIfm1355TZEBS8lnwoyDpfo30yLHijYqvuAmyEtm+31TLZUCu0gRVxSnNrYgO
xBoMq8p2RUKtMkXporbzPw9/zKA7nmQDmgEzDRgn7O7le0LuwV7aKhMAAitfS30E
w+qMAW9wcMaqc9NaEy+q8c6H/fDwwYKLTKiypWXEaUasX09Ia67gNCDQ72XJ1KT/
Z/kC8iiRPzrFdpjf/yfmX/fCZb2ZJe9+BvNoucVBEkDX5eE3Q+ukf8S7BZsJr5B8
Gpydniiyxo53LQw1P3k5HVFa6qrEkS4Q2q1j4WmN7f9pLnwnnYYkBI4AnM2GMh0=
=Ybhx
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181217084435.GC4757>