Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 1 Jun 2017 07:14:46 -0600
From: Kurt Seifried <kseifrie@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Information on recent sqlite3 issues?

I will bring this up at the next cve board meeting (2 weeks from now).


-Kurt





> On Jun 1, 2017, at 00:20, Johannes Segitz <jsegitz@...e.de> wrote:
> 
>> On Thu, Jun 01, 2017 at 12:24:10AM +0200, Andreas Stieger wrote:
>> Hello,
>> 
>> 
>>> On 05/31/2017 10:30 PM, Moritz Muehlenhoff wrote:
>>> one of the latest Apple advisories mentions several vulnerabilities in sqlite:
>>> https://support.apple.com/en-us/HT207798
>>> 
>>> CVE-2017-2513: found by OSS-Fuzz
>>> CVE-2017-2518: found by OSS-Fuzz
>>> CVE-2017-2520: found by OSS-Fuzz
>>> CVE-2017-2519: found by OSS-Fuzz
>>> CVE-2017-6983: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
>>> CVE-2017-6991: Chaitin Security Research Lab (@ChaitinTech) working with Trend Micro's Zero Day Initiative
>>> 
>>> Does anyone have additional information on those and whether that
>>> applies to the standard sqlite releases or Apple-specific changes?
>> 
>> SUSE has asked Apple, but has not yet received an answer as far as I am
>> aware.
> 
> They replied:
> 
>> Thank you for contacting the Apple Product Security team.
>> 
>> Please contact the SQLite maintainers to coordinate.
> 
> I think it is problematic that they assign CVEs but don't provice any
> details even if it's not only their code. I contacted the sqlite-devs for
> details but didn't receive a reply up to this point.
> 
> Johannes
> -- 
> GPG Key E7C81FA0       EE16 6BCE AD56 E034 BFB3  3ADD 7BF7 29D5 E7C8 1FA0
> Subkey fingerprint:    250F 43F5 F7CE 6F1E 9C59  4F95 BC27 DD9D 2CC4 FD66
> SUSE Linux GmbH, GF: Felix Imend├Ârffer, Jane Smithard, Graham Norton
> HRB 21284 (AG N├╝rnberg)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.