Bug#1037542: bookworm-pu: package xerial-sqlite-jdbc/3.40.1.0+dfsg-1+deb12u1
Hi Pierre,
On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote:
> Package: release.debian.org
> Severity: normal
> Tags: bookworm
> User: release.debian.org@packages.debian.org
> Usertags: pu
> X-Debbugs-Cc: xerial-sqlite-jdbc@packages.debian.org
> Control: affects -1 + src:xerial-sqlite-jdbc
>
> Dear Release team,
>
> I would like to upload xerial-sqlite-jdbc to stable-proposed-updates.
>
> [ Reason ]
> Grave bug #1036706 has been filled a few days before the release of Bookworm.
> This is a security bug associated to CVE-2023-32697. Although it has been
> marked no-dsa by the security team, we exchanged a few emails and our
> conclusion was the fix of this bug, which amounts to cherry-pick one commit of
> upstream, should land in Bookworm during a point release.
>
> [ Impact ]
> CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the
> package are mainly used in a single-user environment, but possibly it is also
> used in a network environment by some users for their own programs, and this is
> where there might be some hazard.
>
> [ Tests ]
> The package was built in a Bookworm chroot and its autopkgtest is passing.
>
> [ Risks ]
> Code is very simple, only 2 lines are changed. Upstream has published it
> three weeks ago and it has issued new upstream versions since then.
>
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
> [X] the issue is verified as fixed in unstable
>
> [ Changes ]
> Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream,
> which uses a random UUID instead of the hash of some fixed address in order to
> define the DB file name.
>
>
>
> Thanks for your help,
>
> Best,
>
> --
> Pierre
> diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog
> --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 14:24:45.000000000 +0100
> +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 23:19:59.000000000 +0200
> @@ -1,3 +1,9 @@
> +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium
> +
> + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm)
> +
> + -- Pierre Gruet <pgt@debian.org> Tue, 13 Jun 2023 23:19:59 +0200
Can you as well add the Debian bug closer for #1036706 here?
Regards,
Salvatore
Reply to: