On Mon, Dec 17, 2018 at 6:21 AM Hideki Yamane <[email protected]> wrote: > It may be known already but > https://security-tracker.debian.org/tracker/source-package/sqlite3 > doesn't contain its vulnerability information. I've sent a detailed analysis of the possible issue back then to the Security Team. A bit later I had to go off the grid, but now back on track with some public details.
> Tencent Blade Team released a security advisory about "Magellan" bug > in sqlite, that was fixed in upstream 3.26.0. > See https://blade.tencent.com/magellan/index_en.html It's turned out to be an FTS3/FTS4 extension issue (that is, you are safe if you don't use it). Upstream confirmed it[1] and fix is available[2]. First fixed version is 3.25.3 but due to other security related fixes like an OOM[3] you are better upgrade to the 3.26.0 release. Only Chrome seems to be affected due to WebSQL usage. Regards, Laszlo/GCS [1] https://www.mail-archive.com/[email protected]/msg113218.html [2] https://www.sqlite.org/src/info/940f2adc8541a838 [3] https://www.sqlite.org/src/info/de0781485701c138
