Date: Thu, 1 Jun 2017 07:17:41 -0600 From: Nicholas Luedtke <nsl@....com> To: oss-security@...ts.openwall.com Subject: Re: Information on recent sqlite3 issues? On 06/01/2017 07:14 AM, Kurt Seifried wrote: > I will bring this up at the next cve board meeting (2 weeks from now). > > > -Kurt Thanks Kurt, its worth noting this happens often with libxml as well. >> On Jun 1, 2017, at 00:20, Johannes Segitz <jsegitz@...e.de> wrote: >> >>> On Thu, Jun 01, 2017 at 12:24:10AM +0200, Andreas Stieger wrote: >>> Hello, >>> >>> >>>> On 05/31/2017 10:30 PM, Moritz Muehlenhoff wrote: >>>> one of the latest Apple advisories mentions several vulnerabilities in sqlite: >>>> https://support.apple.com/en-us/HT207798 >>>> >>>> CVE-2017-2513: found by OSS-Fuzz >>>> CVE-2017-2518: found by OSS-Fuzz >>>> CVE-2017-2520: found by OSS-Fuzz >>>> CVE-2017-2519: found by OSS-Fuzz >>>> CVE-2017-6983: Chaitin Security Research Lab (@...itinTech) working with Trend Micro's Zero Day Initiative >>>> CVE-2017-6991: Chaitin Security Research Lab (@...itinTech) working with Trend Micro's Zero Day Initiative >>>> >>>> Does anyone have additional information on those and whether that >>>> applies to the standard sqlite releases or Apple-specific changes? >>> SUSE has asked Apple, but has not yet received an answer as far as I am >>> aware. >> They replied: >> >>> Thank you for contacting the Apple Product Security team. >>> >>> Please contact the SQLite maintainers to coordinate. >> I think it is problematic that they assign CVEs but don't provice any >> details even if it's not only their code. I contacted the sqlite-devs for >> details but didn't receive a reply up to this point. >> >> Johannes -- Nicholas Luedtke HPE Linux Security, Hewlett-Packard Enterprise Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ