Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0120 [SECURITY] [DLA 1633-1] sqlite3 security update 14 January 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: sqlite3 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-8740 CVE-2017-10989 CVE-2017-2520 CVE-2017-2519 CVE-2017-2518 Reference: ESB-2017.1228 ESB-2017.1227 ESB-2017.1226 ESB-2017.1225 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/01/msg00009.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : sqlite3 Version : 3.8.7.1-1+deb8u4 CVE ID : CVE-2017-2518 CVE-2017-2519 CVE-2017-2520 CVE-2017-10989 CVE-2018-8740 Debian Bug : 867618 893195 Several flaws were corrected in SQLite, an SQL database engine. CVE-2017-2518 A use-after-free bug in the query optimizer may cause a buffer overflow and application crash via a crafted SQL statement. CVE-2017-2519 Insufficient size of the reference count on Table objects could lead to a denial-of-service or arbitrary code execution. CVE-2017-2520 The sqlite3_value_text() interface returned a buffer that was not large enough to hold the complete string plus zero terminator when the input was a zeroblob. This could lead to arbitrary code execution or a denial-of-service. CVE-2017-10989 SQLite mishandles undersized RTree blobs in a crafted database leading to a heap-based buffer over-read or possibly unspecified other impact. CVE-2018-8740 Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference. For Debian 8 "Jessie", these problems have been fixed in version 3.8.7.1-1+deb8u4. We recommend that you upgrade your sqlite3 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlw45RNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQkQg//f++F0/eNLDz681Vf2Ib8XpmGllFBblaBFVfZOkdHtUg5HbM9lhPH7lyJ owCZrhEb6C9W/FOiDjIwJxMumvUXv6IDjgjBsS++5L1bpTEtZQYUmVIJmu3FEGN4 Gwy9+uZhgoErE252tnr1/PS1niyl5+EaKzIi3rZp+9vVVDIP/gGSDA4FSToRepz8 ApuRoLBShIfyE4cZTyFNLeFH5t7A6vnSwNQeqMfg3V0e+NuPPVZJoqrRIjXNmoc9 /uiG/lwQkdpxj7eDz6bZ3F9BuQhtXjkZxIqaaMZpBq3vD8eWiHrySqDvYHboy50e yDr4D8eX7rvkcPH40TvS6xOwNtLONy8zRRKGCKRWhnnujdWFIYXFDpkVubfV36m/ AyWmcJ5JdCVCu6vCA0BrosD+JO2THre3y73AsmUR6S2pxZqo5jwawxma4yEsVGgT Q/BaSzaJ2306ZYxk0mzDgyWekT4zCxWPa5yE7x7vhyjPsWBwkLqvtQv1ZYwJzrAE rfhdgZBc4n8Hjpz8s2RG6D9bvk5OGZ8clIYrG6XPNux3+BgXtSkMaQ8z4b/62CY6 Fe6zALjbdzI7iKECzPveWykYD2UdfRuv7vJrngVPiZ6vbKC04hw0J8pcmyd2ckY7 vUvhBZMVu3lhS2e2wz+eS4HERKcCOdYj/rBoqEsjcOH7R2iWUzI= =oDiQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXDvmIWaOgq3Tt24GAQg5ABAAxBDoO08BmykZysQQdQkLyHqfw++qB6YH gvQPMx2oT8MM7XdEwIPYBBCajEFLR/Vv+FblgTD/kgQapdZhjD8Pqxlj3et4/aRL PSJao50pAdED8+25Qygt1HcW+4jEC6b7tVOszqMAcx7g5rJCo100GheOVlBHiuag 8KOCgzvnggmGC7Yvd8yGOMbZ4zWFmXfDI6j6XoOZm4kJsGB/6Vqh1elgVxrcSbKv Xr88VSQeJYwRKozb0qoRZgoagSZY9qcJx7uFF0PaPTNlQrurSnZuJL/MMrmScXTP Lh3s2bSPLE0+1L6wvpy/k/yenHNQ6Fb2/xPfspnh+icDefYAOiFCTONrGMP1d2R6 C+0/qwZt8ncZzazGltd4B9iWZRU3dMwGuP8CY9WTZC1tyG7EeqVTymfKMTV88xKr RsLhDR/zJpDV9+F/hsBfIN2wK/3VJ/e7viCP1xlUAwfvvwNwth/r/wDw7vB+ToKV jpZHbioX0r7qFXkdjNzVSiobfd/njmBS0BiIMyEuGJrqvWJY6vX17LaCPY3AcN9W hDMeUSR7mN3B5MoqnVwHZLY26vlLjXceE9DVQxya+GIAHQVMWGHZrZfmNFoZ1PNw BGz2eXk0gDSRLSguBtYrkfJY2XybeBOcx2XFBvpDeLt9MP3WQRw93GHpiCYScjlj WpZxWBjMPKA= =J8Py -----END PGP SIGNATURE-----