On 18/12/2018 3:06 am, Roger Marquis wrote:
On Mon, 17 Dec 2018, Kubilay Kocak wrote:
Pretty close :)
Original source/announcement:
https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed
[December 14th, 2018]
Not original though Tenable may have based th
I just wanted to say that I'm sorry to see there being a somewhat,
testy exchange here on this list with regards to the SQLite
issue, but at least it gives me an opportunity to crack a rather
lame joke that I just made up by accident.
I'll be talking with another security professional by phone l
On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote:
> On 12/17/18 6:14 AM, Cameron, Frank J wrote:
> > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a
> > defense-in-depth, designed to head off future vulnerabilities by
> > making shadow-tables read-only to ordinary SQL, along w
I'm objecting to your tone, which is nearly always negative. The link I
sent states the problem with your tone in a much better and more eloquent
way than I can.
I challenge you to change your tone when you post to the list in the future.
On Mon, Dec 17, 2018 at 10:28 AM Roger Marquis wrote:
>
08:09
To: Kubilay Kocak
Cc: ports-sect...@freebsd.org; freebsd-security@freebsd.org; Brooks Davis
Subject: Re: SQLite vulnerability
On Mon, 17 Dec 2018, Kubilay Kocak wrote:
> Pretty close :)
> Original source/announcement:
> https://www.tenable.com/blog/magellan-remote-code-execution-vuln
On Mon, 17 Dec 2018, Kubilay Kocak wrote:
Pretty close :)
Original source/announcement:
https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed
[December 14th, 2018]
Not original though Tenable may have based their announcement on:
https://meterpreter.o
Robert Simmons acerbically replied:
Since you may not read that essay on open source software, here is the
salient point for you:
- For users: remember when filing an issue, opening a pull request or
making a comment on a project to be grateful that people spend their free
time to build sof
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security
wrote:
> Doesn't base also need to be patched?
> AFAIK pkg uses sqlite database.
Does pkg allow running arbitrary untrusted SQL?
'The vulnerability only exists in applications that allow a potential
attacker to run arbitr
Yes, pkg uses sqlite. It uses the amalgamation here:
https://github.com/freebsd/pkg/tree/master/external/sqlite
On Mon, Dec 17, 2018, 07:11 Piotr Kubaj via freebsd-security <
freebsd-security@freebsd.org wrote:
> Doesn't base also need to be patched?
>
> AFAIK pkg uses sqlite database.
>
> --
>
Doesn't base also need to be patched?
AFAIK pkg uses sqlite database.
--
_
/ Drew's Law of Highway Biology: \
| |
| The first bug to hit a clean windshield |
| |
\ l
On 17/12/2018 7:44 pm, Brooks Davis wrote:
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
over the news for a week now. It is patched on all Linux platforms but
has not yet shown up in FreeBSD's vulxml data
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in FreeBSD's vulxml database. Does this mean:
>
> A) FreeBSD
Since you may not read that essay on open source software, here is the
salient point for you:
- For users: remember when filing an issue, opening a pull request or
making a comment on a project to be grateful that people spend their free
time to build software you get to use for free. Kee
https://mikemcquaid.com/2018/03/19/open-source-maintainers-owe-you-nothing/
On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in FreeBS
> On 17. Dec 2018, at 8:59 AM, Robert Simmons wrote:
>
> You're being a jerk.
This knee-jerk reaction defence is getting old.
If you guys don't want to address it just leave it be or say "I'm not interested
in doing x-y-z", even if it means "not interested in security" or "not
interested
in
You're being a jerk.
This is a volunteer project. It owes you nothing.
On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in FreeBSD's
Hi,
It’s sad to see that you are still as negative as you where not that long ago.
I said before that If you rely on the information being up to date, you should
sponsor the FF or pay someone to do the work for you. You keep forgetting
that we (security-officer@ and ports-secteam@) are volunteers
It?s sad to see that you are still as negative as you where not that long
ago.
Apologies for being negative Remko, but isn't it the implications for
those running FreeBSD that are negative rather than someone pointing
them out? Or do we have different interpretations of the scope or
threat prof
18 matches
Mail list logo
