I just wanted to say that I'm sorry to see there being a somewhat,
testy exchange here on this list with regards to the SQLite
issue, but at least it gives me an opportunity to crack a rather
lame joke that I just made up by accident.
I'll be talking with another security professional by phone
On Mon, Dec 17, 2018 at 10:02:36AM -0800, Hugh LaMaster wrote:
> On 12/17/18 6:14 AM, Cameron, Frank J wrote:
> > 'The new SQLITE_DBCONFIG_DEFENSIVE features is more of a
> > defense-in-depth, designed to head off future vulnerabilities by
> > making shadow-tables read-only to ordinary SQL, along
I'm objecting to your tone, which is nearly always negative. The link I
sent states the problem with your tone in a much better and more eloquent
way than I can.
I challenge you to change your tone when you post to the list in the future.
On Mon, Dec 17, 2018 at 10:28 AM Roger Marquis wrote:
>
Base needs updating.
---
Sent using a tiny phone keyboard.
Apologies for any typos and autocorrect.
Also, this old phone only supports top post. Apologies.
Cy Schubert
or
The need of the many outweighs the greed of the few.
---
-Original Message-
From: Roger Marquis
Sent: 17/12/2018
On Mon, 17 Dec 2018, Kubilay Kocak wrote:
Pretty close :)
Original source/announcement:
https://www.tenable.com/blog/magellan-remote-code-execution-vulnerability-in-sqlite-disclosed
[December 14th, 2018]
Not original though Tenable may have based their announcement on:
Robert Simmons acerbically replied:
Since you may not read that essay on open source software, here is the
salient point for you:
- For users: remember when filing an issue, opening a pull request or
making a comment on a project to be grateful that people spend their free
time to build
On Mon, Dec 17, 2018 at 01:09:37PM +0100, Piotr Kubaj via freebsd-security
wrote:
> Doesn't base also need to be patched?
> AFAIK pkg uses sqlite database.
Does pkg allow running arbitrary untrusted SQL?
'The vulnerability only exists in applications that allow a potential
attacker to run
Yes, pkg uses sqlite. It uses the amalgamation here:
https://github.com/freebsd/pkg/tree/master/external/sqlite
On Mon, Dec 17, 2018, 07:11 Piotr Kubaj via freebsd-security <
freebsd-security@freebsd.org wrote:
> Doesn't base also need to be patched?
>
> AFAIK pkg uses sqlite database.
>
> --
>
Doesn't base also need to be patched?
AFAIK pkg uses sqlite database.
--
_
/ Drew's Law of Highway Biology: \
| |
| The first bug to hit a clean windshield |
| |
\
On 17/12/2018 7:44 pm, Brooks Davis wrote:
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
over the news for a week now. It is patched on all Linux platforms but
has not yet shown up in FreeBSD's vulxml
On Sun, Dec 16, 2018 at 08:13:59AM -0800, Roger Marquis wrote:
> Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in FreeBSD's vulxml database. Does this mean:
>
> A)
Since you may not read that essay on open source software, here is the
salient point for you:
- For users: remember when filing an issue, opening a pull request or
making a comment on a project to be grateful that people spend their free
time to build software you get to use for free.
https://mikemcquaid.com/2018/03/19/open-source-maintainers-owe-you-nothing/
On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in
> On 17. Dec 2018, at 8:59 AM, Robert Simmons wrote:
>
> You're being a jerk.
This knee-jerk reaction defence is getting old.
If you guys don't want to address it just leave it be or say "I'm not interested
in doing x-y-z", even if it means "not interested in security" or "not
interested
in
You're being a jerk.
This is a volunteer project. It owes you nothing.
On Sun, Dec 16, 2018, 16:42 Roger Marquis Thanks to Chrome{,ium} a recently discovered SQLite exploit has been all
> over the news for a week now. It is patched on all Linux platforms but
> has not yet shown up in FreeBSD's
15 matches
Mail list logo
