Bug#784021: pu: sqlite3/220.127.116.11-1+deb8u1
usertags 784021 = pu
tags 784021 + moreinfo jessie
On 2015-05-02 10:42, László Böszörményi wrote:
No. Testing isn't frozen and this is a request for an update to stable;
fixed. (Oddly you got the tag in the subject (mostly) correct.)
There are three security bugs in SQLite3 which needs to be fixed for
Jessie. I've already prepared the update and debdiff is attached.
Security team is in the Cc in case they also working on it or would
like to take over.
In short, vulnerabilities are the following.
CVE-2015-3414 - uninitialized memory denial of service (remote).
CVE-2015-3415 - vdbe.c sqlite3VdbeExec denial of service (remote).
CVE-2015-3415 - printf.c sqlite3VXPrintf buffer overflow (remote).
As none of those are currently tagged no-dsa in the security tracker,
I'd prefer to wait for confirmation on that. I'd have thought it made
more sense to talk to them first tbh but never mind. :)