From owner-freebsd-security@freebsd.org  Mon Dec 17 16:06:52 2018
Return-Path: <owner-freebsd-security@freebsd.org>
Delivered-To: freebsd-security@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id E48A11344879;
 Mon, 17 Dec 2018 16:06:51 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [209.237.23.5])
 (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits))
 (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 72D1B75290;
 Mon, 17 Dec 2018 16:06:51 +0000 (UTC)
 (envelope-from marquis@roble.com)
Received: from roble.com (roble.com [209.237.23.50])
 by mx5.roble.com (Postfix) with ESMTP id 1F5D58551C;
 Mon, 17 Dec 2018 08:06:50 -0800 (PST)
Date: Mon, 17 Dec 2018 08:06:50 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: Kubilay Kocak <koobs@FreeBSD.org>
cc: Brooks Davis <brooks@freebsd.org>, freebsd-security@freebsd.org, 
 ports-secteam@FreeBSD.org
Subject: Re: SQLite vulnerability
In-Reply-To: <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org>
Message-ID: <nycvar.OFS.7.76.444.1812170758000.59073@mx.roble.com>
References: <nycvar.OFS.7.76.444.1812160753280.5993@mx.roble.com>
 <20181217084435.GC4757@spindle.one-eyed-alien.net>
 <14b152b6-b994-2b1a-c1ac-0fc2f606149a@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
X-Rspamd-Queue-Id: 72D1B75290
X-Spamd-Bar: ------
Authentication-Results: mx1.freebsd.org
X-Spamd-Result: default: False [-6.85 / 15.00];
 NEURAL_HAM_MEDIUM(-1.00)[-1.000,0];
 NEURAL_HAM_SHORT(-0.85)[-0.850,0];
 NEURAL_HAM_LONG(-1.00)[-1.000,0]; REPLY(-4.00)[]
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Dec 2018 16:06:52 -0000

On Mon, 17 Dec 2018, Kubilay Kocak wrote:
> Pretty close :)
> Original source/announcement:
> https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed 
> [December 14th, 2018]

Not original though Tenable may have based their announcement on:

   https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert/
   [December 11th, 2014]

> I've already re-opened Issue #233712 [1], which was our databases/sqlite3 
> port update to 3.26.0 and requested a merge to quarterly.

Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the sqlite3
port on December 4th.

Roger Marquis