[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1633-1] sqlite3 security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : sqlite3
Version        : 3.8.7.1-1+deb8u4
CVE ID         : CVE-2017-2518 CVE-2017-2519 CVE-2017-2520
                 CVE-2017-10989 CVE-2018-8740
Debian Bug     : 867618 893195

Several flaws were corrected in SQLite, an SQL database engine.

CVE-2017-2518

    A use-after-free bug in the query optimizer may cause a
    buffer overflow and application crash via a crafted SQL statement.

CVE-2017-2519

    Insufficient size of the reference count on Table objects
    could lead to a denial-of-service or arbitrary code execution.

CVE-2017-2520

    The sqlite3_value_text() interface returned a buffer that was not
    large enough to hold the complete string plus zero terminator when
    the input was a zeroblob. This could lead to arbitrary code
    execution or a denial-of-service.

CVE-2017-10989

    SQLite mishandles undersized RTree blobs in a crafted database
    leading to a heap-based buffer over-read or possibly unspecified
    other impact.

CVE-2018-8740

    Databases whose schema is corrupted using a CREATE TABLE AS
    statement could cause a NULL pointer dereference.

For Debian 8 "Jessie", these problems have been fixed in version
3.8.7.1-1+deb8u4.

We recommend that you upgrade your sqlite3 packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlw45RNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQkQg//f++F0/eNLDz681Vf2Ib8XpmGllFBblaBFVfZOkdHtUg5HbM9lhPH7lyJ
owCZrhEb6C9W/FOiDjIwJxMumvUXv6IDjgjBsS++5L1bpTEtZQYUmVIJmu3FEGN4
Gwy9+uZhgoErE252tnr1/PS1niyl5+EaKzIi3rZp+9vVVDIP/gGSDA4FSToRepz8
ApuRoLBShIfyE4cZTyFNLeFH5t7A6vnSwNQeqMfg3V0e+NuPPVZJoqrRIjXNmoc9
/uiG/lwQkdpxj7eDz6bZ3F9BuQhtXjkZxIqaaMZpBq3vD8eWiHrySqDvYHboy50e
yDr4D8eX7rvkcPH40TvS6xOwNtLONy8zRRKGCKRWhnnujdWFIYXFDpkVubfV36m/
AyWmcJ5JdCVCu6vCA0BrosD+JO2THre3y73AsmUR6S2pxZqo5jwawxma4yEsVGgT
Q/BaSzaJ2306ZYxk0mzDgyWekT4zCxWPa5yE7x7vhyjPsWBwkLqvtQv1ZYwJzrAE
rfhdgZBc4n8Hjpz8s2RG6D9bvk5OGZ8clIYrG6XPNux3+BgXtSkMaQ8z4b/62CY6
Fe6zALjbdzI7iKECzPveWykYD2UdfRuv7vJrngVPiZ6vbKC04hw0J8pcmyd2ckY7
vUvhBZMVu3lhS2e2wz+eS4HERKcCOdYj/rBoqEsjcOH7R2iWUzI=
=oDiQ
-----END PGP SIGNATURE-----


Reply to: