Re: "Magellan" bug in sqlite3

2018-12-24 Thread Hideki Yamane
Hi, On Thu, 20 Dec 2018 09:05:57 +0100 László Böszörményi (GCS) wrote: > It's turned out to be an FTS3/FTS4 extension issue (that is, you are > safe if you don't use it). Upstream confirmed it[1] and fix is > available[2]. First fixed version is 3.25.3 but due to other security > related fixes l

Re: "Magellan" bug in sqlite3

2018-12-20 Thread qmi
On Thu, Dec 20, 2018 at 12:36:23AM +0100, Christoph Moench-Tegeder wrote: > > > > This vulnerability seems to have been already handled. See URL: > > > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F > > > > > > No, we should deal with it in stable release, so tracking is import

Re: "Magellan" bug in sqlite3

2018-12-20 Thread GCS
On Mon, Dec 17, 2018 at 6:21 AM Hideki Yamane wrote: > It may be known already but > https://security-tracker.debian.org/tracker/source-package/sqlite3 > doesn't contain its vulnerability information. I've sent a detailed analysis of the possible issue back then to the Security Team. A bit lat

Re: "Magellan" bug in sqlite3

2018-12-19 Thread Christoph Moench-Tegeder
## qmi (li...@miklos.info): > > > This vulnerability seems to have been already handled. See URL: > > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F > > > > No, we should deal with it in stable release, so tracking is important. > > > Please check the link above once again.

Re: "Magellan" bug in sqlite3

2018-12-19 Thread qmi
Hi On Wed, Dec 19, 2018 at 04:40:36PM +0900, Hideki Yamane wrote: > On Tue, 18 Dec 2018 23:36:24 +0100 > qmi wrote: > > This vulnerability seems to have been already handled. See URL: > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F > > No, we should deal with it in stable re

Re: "Magellan" bug in sqlite3

2018-12-18 Thread Hideki Yamane
On Tue, 18 Dec 2018 23:36:24 +0100 qmi wrote: > This vulnerability seems to have been already handled. See URL: > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F At that time, there's no info. > But no CVE assigned as this is not public yet. Yes. > Additionally, the Tencent

Re: "Magellan" bug in sqlite3

2018-12-18 Thread qmi
Hi This vulnerability seems to have been already handled. See URL: https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F But no CVE assigned as this is not public yet. Additionally, the Tencent team's page itself on the link referred by you state that in order to apply the fix, update

"Magellan" bug in sqlite3

2018-12-16 Thread Hideki Yamane
Hi, It may be known already but https://security-tracker.debian.org/tracker/source-package/sqlite3 doesn't contain its vulnerability information. Tencent Blade Team released a security advisory about "Magellan" bug in sqlite, that was fixed in upstream 3.26.0. See https://blade.tencent.com/