Re: Incomplete fix for CVE-2019-20218/sqlite3

To: Chris Lamb <lamby@debian.org>
Cc: Moritz Muehlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org
Subject: Re: Incomplete fix for CVE-2019-20218/sqlite3
From: Roberto C. Sánchez <roberto@debian.org>
Date: Tue, 8 Dec 2020 10:04:13 -0500
Message-id: <[🔎] 20201208150413.GH4291@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, Chris Lamb <lamby@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>, debian-lts@lists.debian.org
In-reply-to: <[🔎] e9092c45-cda4-4016-bcf3-7cfff20e0f7f@www.fastmail.com>
References: <[🔎] 20201208130903.3vakp7jg6olqmxps@inutil.org> <[🔎] e9092c45-cda4-4016-bcf3-7cfff20e0f7f@www.fastmail.com>

Hi Moritz & Chris,

On Tue, Dec 08, 2020 at 02:37:14PM +0000, Chris Lamb wrote:
> Hi Moritz,
> 
> > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
> 

Thanks for reporting this.  It seems I overlooked something in my
update.  I should have taken greater care.

> 
> Roberto, can you follow-up on this?
> 
I have claimed the package in dla-needed.txt.  I will get this
straightened out (including properly confirming that the vulnerability
is fixed) in the coming days.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

Follow-Ups:
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: Roberto C. Sánchez <roberto@debian.org>

References:
- Incomplete fix for CVE-2019-20218/sqlite3
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: "Chris Lamb" <lamby@debian.org>

Prev by Date: Re: Incomplete fix for CVE-2019-20218/sqlite3
Next by Date: Invitation to QUOTE 09/12/2020
Previous by thread: Re: Incomplete fix for CVE-2019-20218/sqlite3
Next by thread: Re: Incomplete fix for CVE-2019-20218/sqlite3
Index(es):
- Date
- Thread