Re: Incomplete fix for CVE-2019-20218/sqlite3
On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote:
> Hi Moritz & Chris,
> On Tue, Dec 08, 2020 at 02:37:14PM +0000, Chris Lamb wrote:
> > Hi Moritz,
> > > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
> Thanks for reporting this. It seems I overlooked something in my
> update. I should have taken greater care.
> > Roberto, can you follow-up on this?
> I have claimed the package in dla-needed.txt. I will get this
> straightened out (including properly confirming that the vulnerability
> is fixed) in the coming days.
I have backported the additional commit, tested the fix for
completeness, prepared the updated package and uploaded it. However,
since archive processing is currently suspended pending the resolution
of the recently reported python-apt bug, it will probably wait in the
upload queue until archive processing resumes. Once the ACCEPT message
comes through I will prepare and publish the DLA.
Roberto C. Sánchez