Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Jun 2017 08:20:46 +0200
From: Johannes Segitz <>
Subject: Re: Information on recent sqlite3 issues?

On Thu, Jun 01, 2017 at 12:24:10AM +0200, Andreas Stieger wrote:
> Hello,
> On 05/31/2017 10:30 PM, Moritz Muehlenhoff wrote:
> > one of the latest Apple advisories mentions several vulnerabilities in sqlite:
> >
> >
> > CVE-2017-2513: found by OSS-Fuzz
> > CVE-2017-2518: found by OSS-Fuzz
> > CVE-2017-2520: found by OSS-Fuzz
> > CVE-2017-2519: found by OSS-Fuzz
> > CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
> > CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
> >
> > Does anyone have additional information on those and whether that
> > applies to the standard sqlite releases or Apple-specific changes?
> SUSE has asked Apple, but has not yet received an answer as far as I am
> aware.

They replied:

>Thank you for contacting the Apple Product Security team.
>Please contact the SQLite maintainers to coordinate.

I think it is problematic that they assign CVEs but don't provice any
details even if it's not only their code. I contacted the sqlite-devs for
details but didn't receive a reply up to this point.

GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
HRB 21284 (AG N├╝rnberg)

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.