Re: Incomplete fix for CVE-2019-20218/sqlite3

To: debian-lts@lists.debian.org
Cc: Chris Lamb <lamby@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>
Subject: Re: Incomplete fix for CVE-2019-20218/sqlite3
From: Roberto C. Sánchez <roberto@debian.org>
Date: Thu, 10 Dec 2020 09:53:50 -0500
Message-id: <[🔎] 20201210145350.GB5756@connexer.com>
Mail-followup-to: Roberto C. Sánchez <roberto@debian.org>, debian-lts@lists.debian.org, Chris Lamb <lamby@debian.org>, Moritz Muehlenhoff <jmm@inutil.org>
In-reply-to: <[🔎] 20201210135358.GA5756@connexer.com>
References: <[🔎] 20201208130903.3vakp7jg6olqmxps@inutil.org> <[🔎] e9092c45-cda4-4016-bcf3-7cfff20e0f7f@www.fastmail.com> <[🔎] 20201208150413.GH4291@connexer.com> <[🔎] 20201210135358.GA5756@connexer.com>

On Thu, Dec 10, 2020 at 08:53:58AM -0500, Roberto C. Sánchez wrote:
> On Tue, Dec 08, 2020 at 10:04:13AM -0500, Roberto C. Sánchez wrote:
> > Hi Moritz & Chris,
> > 
> > On Tue, Dec 08, 2020 at 02:37:14PM +0000, Chris Lamb wrote:
> > > Hi Moritz,
> > > 
> > > > CVE-2019-20218 isn't fixed in Stretch/LTS. Running the reproducer:
> > > 
> > 
> > Thanks for reporting this.  It seems I overlooked something in my
> > update.  I should have taken greater care.
> > 
> > > 
> > > Roberto, can you follow-up on this?
> > > 
> > I have claimed the package in dla-needed.txt.  I will get this
> > straightened out (including properly confirming that the vulnerability
> > is fixed) in the coming days.
> > 
> I have backported the additional commit, tested the fix for
> completeness, prepared the updated package and uploaded it.  However,
> since archive processing is currently suspended pending the resolution
> of the recently reported python-apt bug, it will probably wait in the
> upload queue until archive processing resumes.  Once the ACCEPT message
> comes through I will prepare and publish the DLA.

I did not see an announcement that archive processing had resumed, but a
short while ago I received the ACCEPT message and the package built and
was uploaded and installed on all architectures.  I went ahead and
published the DLA as well.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Reply to:

References:
- Incomplete fix for CVE-2019-20218/sqlite3
  - From: Moritz Muehlenhoff <jmm@inutil.org>
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: "Chris Lamb" <lamby@debian.org>
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: Roberto C. Sánchez <roberto@debian.org>
- Re: Incomplete fix for CVE-2019-20218/sqlite3
  - From: Roberto C. Sánchez <roberto@debian.org>

Prev by Date: Re: Incomplete fix for CVE-2019-20218/sqlite3
Next by Date: How to handle an update that includes a regression fix and a new fix?
Previous by thread: Re: Incomplete fix for CVE-2019-20218/sqlite3
Next by thread: Invitation to QUOTE 09/12/2020
Index(es):
- Date
- Thread