On 17/12/2018 7:44 pm, Brooks Davis wrote:> On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
>> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been
all
>> over the news for a week now. It is patched on all Linux platforms but
>> has not yet shown up in FreeBSD's vulxml database. Does this mean:
>>
>> A) FreeBSD versions prior to 3.26.0 are not vulnerable, or
>>
>> B) the ports-secteam is not able to properly maintain the
vulnerability
>> database?
>>
>> If the latter perhaps someone from the security team could let us know
>> how such a significant vulnerability could go unflagged for so long
and,
>> more importantly, what might be done to address the gap in reporting?
>
> Almost certainly:
>
> C) This vunerability was reported in a random blog post on a Sunday
> without any details so people haven't caught up with it yet.
>
> -- Brooks
>
Pretty close :)
Original source/announcement:
https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed
[December 14th, 2018]
I've already re-opened Issue #233712 [1], which was our
databases/sqlite3 port update to 3.26.0 and requested a merge to quarterly.
Chromium's fixes are in 71.0.3578.80 [2], there is an existing
www/chromium Bugzilla issue to update to 73.0.3640.0 [3], which has been
tracked as a security update and for MFH.
Any ports/packages that embed/bundle their own sqlite3 library will also
need updating.
[1] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233712
[2]
https://chromereleases.googleblog.com/2018/12/stable-channel-update-for-desktop.html
[3] https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=233990
[4] https://news.ycombinator.com/item?id=18685296