[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#47231: closed (sqlite package is vulnerable to CVE-2020-11655, CVE-2
From: |
GNU bug Tracking System |
Subject: |
bug#47231: closed (sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327) |
Date: |
Fri, 26 Mar 2021 01:37:02 +0000 |
Your message dated Fri, 26 Mar 2021 02:36:16 +0100
with message-id <318a4b5eed01580d377cc8199a4bfb0db30b5eeb.camel@zaclys.net>
and subject line Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655,
CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631,
CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327
has caused the debbugs.gnu.org bug report #47231,
regarding sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656,
CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632,
CVE-2020-15358 and CVE-2020-9327
to be marked as done.
(If you believe you have received this mail in error, please contact
help-debbugs@gnu.org.)
--
47231: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=47231
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems
--- Begin Message ---
Subject: |
sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 |
Date: |
Thu, 18 Mar 2021 12:42:43 +0100 |
User-agent: |
Evolution 3.34.2 |
According to
https://www.sqlite.org/versionnumbers.html major versions of sqlite remain ABI
and file format backwards
compatible.
It means we could graft without trouble, 3.32.3 fixes all CVEs, however
3.32 introduces a test failure in Python 3.8.2 which is an errorneous
test testing internal sqlite implementation detail (but grafting wont
actually re-run this test suite).
See: https://bugs.python.org/issue40784
Otherwise I am still trying to run GNU Guix's own test suite on this
but it turns out unnecessarily complicated, see
https://issues.guix.gnu.org/47230 for suggestions on improving that
process.
Attached WIP patch.
Thank you!
Léo
0001-gnu-sqlite-Update-to-3.32.3-security-fixes.patch
Description: Text Data
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
Subject: |
Re: bug#47231: sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327 |
Date: |
Fri, 26 Mar 2021 02:36:16 +0100 |
User-agent: |
Evolution 3.34.2 |
On Thu, 2021-03-25 at 21:23 -0400, Mark H Weaver wrote:
>
> Just a reminder that, just as with 'mysql/fixed', 'sqlite/fixed'
> should
> *not* use 'package/inherit', since the package you're defining is the
> replacement for the package you're inheriting from.
>
> Otherwise, it looks good to me!
>
> Thanks,
> Mark
Adapted, wasnt sure what package/inherit was for exactly.
Tobias Geerinckx-Rice via Bug reports for GNU Guix writes:
> > I'm currently rebuilding IceCat with this change as an extra
> > precaution, but that shouldn't take long. If that doesn't cause
> > problems this LGTM for master.
>
> OK, it worked, old IceCat writes new SQlite files.
>
> Kind regards,
>
> T G-R
Thank you both for the review!
Pushed as 6e7ba45357078b31a369b23f8a9f38302dfcbb10!
signature.asc
Description: This is a digitally signed message part
--- End Message ---
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#47231: closed (sqlite package is vulnerable to CVE-2020-11655, CVE-2020-11656, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632, CVE-2020-15358 and CVE-2020-9327),
GNU bug Tracking System <=