From owner-freebsd-security@freebsd.org Mon Dec 17 08:44:43 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 9ACA21335A12; Mon, 17 Dec 2018 08:44:43 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: from spindle.one-eyed-alien.net (spindle.one-eyed-alien.net [199.48.129.229]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id DC6F38A24E; Mon, 17 Dec 2018 08:44:42 +0000 (UTC) (envelope-from brooks@spindle.one-eyed-alien.net) Received: by spindle.one-eyed-alien.net (Postfix, from userid 3001) id 9CA053C475F; Mon, 17 Dec 2018 08:44:35 +0000 (UTC) Date: Mon, 17 Dec 2018 08:44:35 +0000 From: Brooks Davis To: Roger Marquis Cc: freebsd-security@freebsd.org, ports-secteam@FreeBSD.org Subject: Re: SQLite vulnerability Message-ID: <20181217084435.GC4757@spindle.one-eyed-alien.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Rspamd-Queue-Id: DC6F38A24E X-Spamd-Bar: ------ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-6.97 / 15.00]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; NEURAL_HAM_SHORT(-0.97)[-0.975,0]; REPLY(-4.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 08:44:43 -0000 --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote: > Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all > over the news for a week now. It is patched on all Linux platforms but > has not yet shown up in FreeBSD's vulxml database. Does this mean: >=20 > A) FreeBSD versions prior to 3.26.0 are not vulnerable, or >=20 > B) the ports-secteam is not able to properly maintain the vulnerability > database? >=20 > If the latter perhaps someone from the security team could let us know > how such a significant vulnerability could go unflagged for so long and, > more importantly, what might be done to address the gap in reporting? Almost certainly: C) This vunerability was reported in a random blog post on a Sunday without any details so people haven't caught up with it yet. -- Brooks --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJcF2HzAAoJEKzQXbSebgfAvfAIAKFQRE9A2G3nfwVqRjz0ZwzI cDOXIfm1355TZEBS8lnwoyDpfo30yLHijYqvuAmyEtm+31TLZUCu0gRVxSnNrYgO xBoMq8p2RUKtMkXporbzPw9/zKA7nmQDmgEzDRgn7O7le0LuwV7aKhMAAitfS30E w+qMAW9wcMaqc9NaEy+q8c6H/fDwwYKLTKiypWXEaUasX09Ia67gNCDQ72XJ1KT/ Z/kC8iiRPzrFdpjf/yfmX/fCZb2ZJe9+BvNoucVBEkDX5eE3Q+ukf8S7BZsJr5B8 Gpydniiyxo53LQw1P3k5HVFa6qrEkS4Q2q1j4WmN7f9pLnwnnYYkBI4AnM2GMh0= =Ybhx -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6--