Date: Fri, 03 Jan 2025 18:44:49 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 283830] security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232) Message-ID: <bug-283830-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D283830 Bug ID: 283830 Summary: security/vuxml: fix sqlite vulnerable version range (CVE-2024-0232) Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-secteam@FreeBSD.org Reporter: jcfyecrayz@liamekaens.com Assignee: ports-secteam@FreeBSD.org Flags: maintainer-feedback?(ports-secteam@FreeBSD.org) CVE-2024-0232 is about a possible buffer overflow for the json parser in sqlite. sqlite apparently didn't have the referenced vulnerable json parser function (jsonParseAddNodeArray) before 3.43.0, and the CVE references asse= rt that < 3.43.0 is not vulnerable. The 42ec2207-7e85-11ef-89a4-b42e991fc52e vuxml vid should reflect the lower= end of that range. Fixing the vulnerable range specification will avoid a false positive for databases/linux-rl9-sqlite3 (currently at 3.34.1-7). It will = also help avoid false positives for people who have databases/sqlite3 installed = with rev < 3.43.0 in case they have not updated since then (the only vulnerable official freebsd pkg - 3.43.1 - would have existed from ~Sep 2023 - ~Nov 20= 23). refs: ports 91064fdc5d6613c558832fb9ed26bdfaef107102 ports d94547d54ebe03dd72417b7d81e3f1f261e2cb06 https://nvd.nist.gov/vuln/detail/CVE-2024-0232 (see Known Affected Softw= are Configurations) https://security.netapp.com/advisory/ntap-20240315-0007/ https://sqlite.org/forum/forumpost/4aa381993a --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-283830-7788>