Your message dated Sun, 06 Aug 2023 14:46:13 +0000
with message-id <[email protected]>
and subject line Bug#928441: fixed in db5.3 5.3.28+dfsg2-2
has caused the Debian Bug report #928441,
regarding db5.3 ships an unregistered, embedded copy of sqlite3
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
928441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928441
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: db5.3
Version: 5.3.28+dfsg1-0.6
Severity: important
Tags: security
I noticed that db5.3 builds an embedded copy of sqlite3, but it isn't
documented in the security tracker. This is troubling. Embedded code
copies are discouraged by the debian policy and sqlite3 has a history of
(few) vulnerabilities with CVEs. Please do one of the following:
A. Stop using the embedded sqlite3 in favour of the packaged one.
(preferred)
B. Register your copy with the security tracker. Thus security updates
of sqlite3 can include an upload of db5.3.
A quick glance suggests that A is impossible, because db5.3 uses a
modified copy (see lang/sql/README). If that assessment is correct,
you'll have to update
https://salsa.debian.org/security-tracker-team/security-tracker/raw/master/data/embedded-code-copies
and add a line below "sqlite3" stating:
- db5.3 <unfixed> (modified-embed)
Helmut
--- End Message ---
--- Begin Message ---
Source: db5.3
Source-Version: 5.3.28+dfsg2-2
Done: Bastian Germann <[email protected]>
We believe that the bug you reported is fixed in the latest version of
db5.3, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bastian Germann <[email protected]> (supplier of updated db5.3 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 06 Aug 2023 15:50:06 +0200
Source: db5.3
Architecture: source
Version: 5.3.28+dfsg2-2
Distribution: unstable
Urgency: medium
Maintainer: Bastian Germann <[email protected]>
Changed-By: Bastian Germann <[email protected]>
Closes: 650844 715779 928441 1010974 1043077
Changes:
db5.3 (5.3.28+dfsg2-2) unstable; urgency=medium
.
* d/watch: Drop non-existing website
* Demote libdb5.3's Priority to optional
* Apply Rules-Requires-Root (Closes: #1043077)
* Drop java and tcl packages (Closes: #650844)
* Rename wrongly prefixed patches
* Drop sql and stl packages (Closes: #1010974, #928441, #715779)
.
[ Debian Janitor ]
* db5.3-doc: Add Multi-Arch: foreign.
Checksums-Sha1:
353b5c25380479d8a68d137f895adcc6c34b8f20 2183 db5.3_5.3.28+dfsg2-2.dsc
44b5d4ea521f8dfb9d7e2609f1f5cbed38f61aff 33560
db5.3_5.3.28+dfsg2-2.debian.tar.xz
4cb6755a68f386a3bf468bd6bd47221284ee44ef 5689
db5.3_5.3.28+dfsg2-2_source.buildinfo
Checksums-Sha256:
763a77002e906ab9c0db8ba81cef1639818b45285c4109d5622ba5d5daf11f44 2183
db5.3_5.3.28+dfsg2-2.dsc
1292292f486d6529815d199291428f3fc770025ab562c4d1d370b8d3df74fa3d 33560
db5.3_5.3.28+dfsg2-2.debian.tar.xz
689fa2e03335f04862439e09389260f694c4feaa2d13529aa2b30286f759489e 5689
db5.3_5.3.28+dfsg2-2_source.buildinfo
Files:
a9bc05412fa68eb74d2e06a0bf0d1e58 2183 libs optional db5.3_5.3.28+dfsg2-2.dsc
890347e1df422572797d1d6faea8d5c4 33560 libs optional
db5.3_5.3.28+dfsg2-2.debian.tar.xz
ffb4503915cc8679cbd281b11c95f085 5689 libs optional
db5.3_5.3.28+dfsg2-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmTPpmAQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFMNPC/9wAprXYHo+ufv5e7MVeB/Dx29HqZg6lNIB
MbTxwdLHflG41GHBA8+cUPNmTKfOHCANl2VJ4TPJTJeRhe3zqmTR4RTFhnTCb4ar
uujwxauGlU69Pu2x7V7BFz0pPSHg0DKCOmx2AZ9MLnJbVG4GPJcJX+lTjpKqBtII
fCOtS+GNaQBXvMlEAUhgJNccQRpdU/6GKXgb4YtT8ib+2TsaoY/WDO2QoOtZ6esg
1O7uifXRf7lLSV7sI0dtV+K44qyj8NsqIxiCJ1OxVFr4UJJajUebajaalwv9QEob
SAx3nv91WhF1Gn75u0lTPFfTwD4yW64pE1bSAP3V6vs8pNP+RGI2clY2lIgQL2Lh
YOKOblC77nE5TpSB6mOsf1Xv531FI1FNC9GNJFzDacC4l923+sI9E+ecl+k+ThZl
UXEIh3W8fesTkCKJgNQr/sNW8nI9cyH30xUYzEqpvc7zTozTH+jy3sRb7tgoBlqx
VeNUWxiRQ8VLhSsAyziLHqtHWrotb3Q=
=sDnL
-----END PGP SIGNATURE-----
--- End Message ---
