Bug 13317

Summary:	[CVE 21] sqlite 3.39.4 CVEs found
Product:	[ROSA-based products] ROSA Fresh	Reporter:	Yury <y.tumanov>
Component:	System (kernel, glibc, systemd, bash, PAM...)	Assignee:	ROSA Linux Bugs <bugs>
Status:	VERIFIED FIXED	QA Contact:	ROSA Linux Bugs <bugs>
Severity:	normal
Priority:	Normal	CC:	a.proklov, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version:	All	Flags:	v.potapov: qa_verified+ y.tumanov: secteam_verified+ a.proklov: published+
Target Milestone:	---
Hardware:	All
OS:	Linux
URL:	CVE-2022-46908,
Whiteboard:
Platform:	2021.1	ROSA Vulnerability identifier:
RPM Package:		ISO-related:
Bad POT generating:		Upstream:

Description Yury 2023-05-03 18:02:55 MSK

Please patch CVEs for package sqlite version 3.39.4
  
INFO (CVEs are): sqlite 3.39.4
 cves found
CVE-2022-46908
Desc: SQLite through 3.40.0, when relying on --safe for execution of an untrusted CLI script, does not properly implement the azProhibitedFunctions protection mechanism, and instead allows UDF functions such as WRITEFILE.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-46908
Severity: HIGH

Comment 1 ilfat 2023-05-25 10:29:26 MSK

********** QA ADVISORY **********

CVE closed by project update

Updated to 3.40.2

https://abf.io/build_lists/4444006 i686
https://abf.io/build_lists/4444005 aarch64
https://abf.io/build_lists/4444004 x86_64

Comment 2 ilfat 2023-05-25 10:31:41 MSK

Updated to 3.41.2 (в предыдущем комменте опечатка)

Comment 3 Dmitry Postnikov 2023-05-25 11:19:28 MSK

***************************
The update sent to testings

Comment 4 Vladimir Potapov 2023-05-30 18:31:42 MSK

sqlite-3.41.2-1
https://abf.io/build_lists/4444006 i686
https://abf.io/build_lists/4444005 aarch64
https://abf.io/build_lists/4444004 x86_64
*************************** Advisory ****************************
CVE closed by project update

Updated to 3.41.2
******************************************************************
QA Verified

Comment 5 Yury 2023-07-25 16:40:26 MSK

Secteam Verified