From 2b5cf2c7090f8f6730d1b92b453bea307a8f66a951a053b1a8b78051c567f019 Mon Sep 17 00:00:00 2001 From: Reinhard Max Date: Tue, 13 Apr 2021 13:40:51 +0000 Subject: [PATCH] Revert the merging of SLE-12 bug references into the changes file OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=265 --- sqlite3.changes | 116 +----------------------------------------------- 1 file changed, 1 insertion(+), 115 deletions(-) diff --git a/sqlite3.changes b/sqlite3.changes index ecaa04a..9401a76 100644 --- a/sqlite3.changes +++ b/sqlite3.changes @@ -1,67 +1,7 @@ ------------------------------------------------------------------- Tue Apr 6 14:57:30 UTC 2021 - Reinhard Max -- Sync Factory to SLE-12 and SLE-15. - -- The following CVEs have been fixed in upstream releases up to - this point, but were not mentioned in the chane log so far: - * bsc#1173641, CVE-2020-15358: heap-based buffer overflow in - multiSelectOrderBy due to mishandling of query-flattener - optimization - * bsc#1164719, CVE-2020-9327: NULL pointer dereference and - segmentation fault because of generated column optimizations in - isAuxiliaryVtabOperator - * bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds - with WITH stack unwinding even after a parsing error - * bsc#1160438, CVE-2019-19959: memory-management error via - ext/misc/zipfile.c involving embedded '\0' input - * bsc#1160309, CVE-2019-19923: improper handling of certain uses - of SELECT DISTINCT in flattenSubquery may lead to null pointer - dereference - * bsc#1159850, CVE-2019-19924: improper error handling in - sqlite3WindowRewrite() - * bsc#1159847, CVE-2019-19925: improper handling of NULL pathname - during an update of a ZIP archive - * bsc#1159715, CVE-2019-19926: improper handling of certain - errors during parsing multiSelect in select.c - * bsc#1159491, CVE-2019-19880: exprListAppendList in window.c - allows attackers to trigger an invalid pointer dereference - * bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE - and CREATE VIEW statements, does not consider confusion with - a shadow table name - * bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an - integrity_check PRAGMA command in certain cases of generated - columns - * bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger - infinite recursion via certain types of self-referential views - in conjunction with ALTER TABLE statements - * bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits - from the colUsed bitmask in the case of a generated column, - which allows attackers to cause a denial of service - * bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The - function sqlite3Select in select.c allows a crash if a - sub-select uses both DISTINCT and window functions, and also - has certain ORDER BY usage - * bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator - vulnerability - * bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of - collation-sequence names - -- Fix build on SLE-12 and remove the following patches from there - which are all upstream: - * sqlite3-CVE-2017-10989.patch - * sqlite3-CVE-2017-2518.patch, - * sqlite3-CVE-2018-20346.patch, - * sqlite3-CVE-2018-8740.patch, - * sqlite3-CVE-2019-16168.patch, - * sqlite3-CVE-2019-8457.patch, - * sqlite3-journal-file.patch, - * sqlite3-xFetch-null.patch, - * sqlite3-CVE-2016-6153.patch - * The addition of these patches was also merged into the history - of Factory for log consistency reasons although they never - existed there, because Factory was always updated to a fixed - version instead of adding a patch. +- Fix build on SLE-12 ------------------------------------------------------------------- Sat Apr 3 06:51:48 UTC 2021 - Andreas Stieger @@ -337,13 +277,6 @@ Fri Jan 17 14:29:39 UTC 2020 - Stefan Brüns function, exposed when running testsuite on i586: + sqlite3-avoid-truncation-error.patch -------------------------------------------------------------------- -Wed Nov 6 12:33:37 UTC 2019 - Reinhard Max - -- bsc#1155787, CVE-2017-2518, sqlite3-CVE-2017-2518.patch: - A use-after-free bug in the query optimizer may cause a buffer - overflow and application crash via a crafted SQL statement. - ------------------------------------------------------------------- Fri Oct 11 15:05:00 UTC 2019 - Andreas Stieger @@ -412,13 +345,6 @@ Thu Jul 11 08:59:55 UTC 2019 - Ismail Dönmez + Add the long-standing ".testctrl" command to the ".help" menu. + Added the ".dbconfig" command -------------------------------------------------------------------- -Wed Jun 12 13:18:28 UTC 2019 - Reinhard Max - -- CVE-2019-8457, bsc#1136976, sqlite3-CVE-2019-8457.patch: heap - out-of-bound read in the rtreenode() function when handling - invalid rtree tables. - ------------------------------------------------------------------- Thu Apr 18 13:52:28 UTC 2019 - Reinhard Max @@ -436,21 +362,6 @@ Thu Apr 18 13:52:28 UTC 2019 - Reinhard Max * Security and compatibilities enhancements to fts3_tokenizer(). * Improved robustness against corrupt database files. -------------------------------------------------------------------- -Wed Apr 17 15:39:30 UTC 2019 - Reinhard Max - -- CVE-2017-10989, bsc#1132045, sqlite3-CVE-2017-10989.patch: - getNodeSize function in ext/rtree/rtree.c issues -- CVE-2018-8740, bsc#1085790, sqlite3-CVE-2018-8740.patch: - Databases whose schema is corrupted using a CREATE TABLE AS - statement could cause a NULL pointer dereference. - -------------------------------------------------------------------- -Fri Mar 15 12:54:22 UTC 2019 - Reinhard Max - -- CVE-2018-20346, bsc#1119687, sqlite3-CVE-2018-20346.patch: - Fix remote code execution vulnerability in FTS3 (Magellan). - ------------------------------------------------------------------- Sun Mar 10 17:37:06 UTC 2019 - Andreas Stieger @@ -467,8 +378,6 @@ Sun Mar 10 17:37:06 UTC 2019 - Andreas Stieger of the SQLite library itself * Increased robustness against malicious SQL that is run against a maliciously corrupted database - * CVE-2018-20346, bsc#1119687: remote code execution - vulnerability in FTS3 (Magellan). - drop sqlite3-btree02-100.patch ------------------------------------------------------------------- @@ -816,12 +725,6 @@ Mon May 22 18:47:42 UTC 2017 - idonmez@suse.com to avoid excess stack usage in the recursive descent parser. Fix for ticket 981329adeef51011052. -------------------------------------------------------------------- -Tue Apr 4 12:46:31 UTC 2017 - max@suse.com - -- Avoid calling sqlite3OsFetch() on a file-handle for which the - xFetch method is NULL (bsc#1025034, sqlite3-xFetch-null.patch). - ------------------------------------------------------------------- Fri Mar 31 12:03:54 UTC 2017 - idonmez@suse.com @@ -918,12 +821,6 @@ Tue Feb 14 09:19:28 UTC 2017 - idonmez@suse.com * Ensure that the sqlite3_blob_reopen() interface can correctly handle short rows. Fix for ticket e6e962d6b0f06f46e. -------------------------------------------------------------------- -Mon Jan 16 13:08:11 UTC 2017 - max@suse.com - -- Fix a segfault in the in-memory journal logic (bsc#1019518, - sqlite3-journal-file.patch). - ------------------------------------------------------------------- Sat Jan 7 16:44:32 UTC 2017 - mpluskal@suse.com @@ -1131,12 +1028,6 @@ Tue Aug 2 11:00:30 UTC 2016 - tchvatal@suse.com - Reduce the conditions a bit and sort with spec-cleaner - Remove condition for old sle10 ppc machines -------------------------------------------------------------------- -Tue Jul 5 15:51:09 UTC 2016 - max@suse.com - -- Fix Tempdir Selection Vulnerability (bsc#987394, CVE-2016-6153, - sqlite3-CVE-2016-6153.patch). - ------------------------------------------------------------------- Wed May 18 19:43:17 UTC 2016 - idonmez@suse.com @@ -1385,11 +1276,6 @@ Thu Oct 15 14:35:51 UTC 2015 - astieger@suse.com analyzed. * sqlite3_memory_alarm() no-op. -------------------------------------------------------------------- -Tue Aug 11 09:20:25 UTC 2015 - max@suse.com -- Submit Factory package to SLE12-SP1 to enable the unlock notify - API (fate#317928). - ------------------------------------------------------------------- Fri Jul 31 11:44:40 UTC 2015 - mpluskal@suse.com