Re: Incomplete fix for CVE-2019-20218/sqlite3
On Thu, Dec 10, 2020 at 08:53:58AM -0500, Roberto C. Sánchez wrote:
> On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote:
> > Hi Moritz & Chris,
> >
> > On Tue, Dec 08, 2020 at 02:37:14PM +0000, Chris Lamb wrote:
> > > Hi Moritz,
> > >
> > > > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
> > >
> >
> > Thanks for reporting this. It seems I overlooked something in my
> > update. I should have taken greater care.
> >
> > >
> > > Roberto, can you follow-up on this?
> > >
> > I have claimed the package in dla-needed.txt. I will get this
> > straightened out (including properly confirming that the vulnerability
> > is fixed) in the coming days.
> >
> I have backported the additional commit, tested the fix for
> completeness, prepared the updated package and uploaded it. However,
> since archive processing is currently suspended pending the resolution
> of the recently reported python-apt bug, it will probably wait in the
> upload queue until archive processing resumes. Once the ACCEPT message
> comes through I will prepare and publish the DLA.
I did not see an announcement that archive processing had resumed, but a
short while ago I received the ACCEPT message and the package built and
was uploaded and installed on all architectures. I went ahead and
published the DLA as well.
Regards,
-Roberto
--
Roberto C. Sánchez
Reply to: