From owner-freebsd-security@freebsd.org Mon Dec 17 17:19:00 2018 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5243A134698E; Mon, 17 Dec 2018 17:19:00 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from smtp-out-no.shaw.ca (smtp-out-no.shaw.ca [64.59.134.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 5620480D0F; Mon, 17 Dec 2018 17:18:59 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from spqr.komquats.com ([70.67.125.17]) by shaw.ca with ESMTPA id YwXggPltnMRX3YwXig5p3W; Mon, 17 Dec 2018 10:18:58 -0700 X-Authority-Analysis: v=2.3 cv=TL87tGta c=1 sm=1 tr=0 a=VFtTW3WuZNDh6VkGe7fA3g==:117 a=VFtTW3WuZNDh6VkGe7fA3g==:17 a=2ur7OfE09M0A:10 a=YxBL1-UpAAAA:8 a=6I5d2MoRAAAA:8 a=wVmefGLtAAAA:8 a=yJre3eBTAAAA:8 a=pGLkceISAAAA:8 a=BjBlOK8wB625C0-ajfIA:9 a=bBq-60wbaaV20tKy:21 a=HN4qILMFnCL5w_iU:21 a=CjuIK1q_8ugA:10 a=FP-_TeKPpj4Qk_-IHHMA:9 a=MOiVBN1lCZ9t41cr:21 a=L8g52OTpQezMEZIe:21 a=QK7VKF2J1EZXU-4U:21 a=_W_S_7VecoQA:10 a=Ia-lj3WSrqcvXOmTRaiG:22 a=IjZwj45LgO3ly-622nXo:22 a=va12ASerkyBhAHNX7CWR:22 a=TX9-bkPir6qYJkIX8xYn:22 Received: from [25.81.116.22] (S0106788a207e2972.gv.shawcable.net [70.66.154.233]) by spqr.komquats.com (Postfix) with ESMTPSA id 5181F49C6; Mon, 17 Dec 2018 09:18:56 -0800 (PST) MIME-Version: 1.0 From: Cy Schubert Subject: RE: SQLite vulnerability Date: Mon, 17 Dec 2018 09:18:57 -0800 To: Roger Marquis , Kubilay Kocak CC: "ports-secteam@FreeBSD.org" , "freebsd-security@freebsd.org" , Brooks Davis Message-Id: <20181217171856.5181F49C6@spqr.komquats.com> X-CMAE-Envelope: MS4wfABweMCc9MEiAEnXinYxf50AWM47Mv/U6FRG+Yls2pQXCDkc5XV6COLdY1AAv7qdHWZAXtR7L/8912Xa/akUFEi6b5/a4O+InMbNvszI2uRFjfLpGh7C fhrfv4qHbcqkXxU6YGOoXL8s3RZ6BJ0xsKr6s3qt52cf8OKHUshTydJ/V8LyL0PFJAMuOvlURCjG2VI2mdBwbdLbORBr+H/YUnH7YJy5oB65merH/KUhpDc9 al6EOtgN0SWF7GsGdb+aREjrszR0upcm20g6eM4uD4JrVR94GvPOPGzqq3S8gGT3DcieSM3Zy0YHyqkC0wP2/A== X-Rspamd-Queue-Id: 5620480D0F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-3.02 / 15.00]; ARC_NA(0.00)[]; FAKE_REPLY(1.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; IP_SCORE(-1.85)[ip: (-4.36), ipnet: 64.59.128.0/20(-2.68), asn: 6327(-2.14), country: CA(-0.09)]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; URI_COUNT_ODD(1.00)[3]; RCPT_COUNT_FIVE(0.00)[5]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: spqr.komquats.com]; NEURAL_HAM_SHORT(-0.96)[-0.959,0]; RCVD_IN_DNSWL_LOW(-0.10)[9.134.59.64.list.dnswl.org : 127.0.5.1]; R_SPF_NA(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:6327, ipnet:64.59.128.0/20, country:CA]; RCVD_TLS_LAST(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[17.125.67.70.zen.spamhaus.org : 127.0.0.11] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 17 Dec 2018 17:19:00 -0000 Base needs updating. --- Sent using a tiny phone keyboard. Apologies for any typos and autocorrect. Also, this old phone only supports top post. Apologies. Cy Schubert or The need of the many outweighs the greed of the few. --- -----Original Message----- From: Roger Marquis Sent: 17/12/2018 08:09 To: Kubilay Kocak Cc: ports-secteam@FreeBSD.org; freebsd-security@freebsd.org; Brooks Davis Subject: Re: SQLite vulnerability On Mon, 17 Dec 2018, Kubilay Kocak wrote: > Pretty close :) > Original source/announcement: > https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability= -in-sqlite-disclosed=20 > [December 14th, 2018] Not original though Tenable may have based their announcement on: https://meterpreter.org/sqlite-remote-code-execution-vulnerability-alert= / [December 11th, 2014] > I've already re-opened Issue #233712 [1], which was our databases/sqlite3= =20 > port update to 3.26.0 and requested a merge to quarterly. Thank you Kubila and thanks to pavelivolkov@gmail.com who updated the sqlit= e3 port on December 4th. Roger Marquis _______________________________________________ freebsd-security@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"