Hi Pierre, On Wed, Jun 14, 2023 at 12:01:18AM +0200, Pierre Gruet wrote: > Package: release.debian.org > Severity: normal > Tags: bookworm > User: release.debian....@packages.debian.org > Usertags: pu > X-Debbugs-Cc: xerial-sqlite-j...@packages.debian.org > Control: affects -1 + src:xerial-sqlite-jdbc > > Dear Release team, > > I would like to upload xerial-sqlite-jdbc to stable-proposed-updates. > > [ Reason ] > Grave bug #1036706 has been filled a few days before the release of Bookworm. > This is a security bug associated to CVE-2023-32697. Although it has been > marked no-dsa by the security team, we exchanged a few emails and our > conclusion was the fix of this bug, which amounts to cherry-pick one commit of > upstream, should land in Bookworm during a point release. > > [ Impact ] > CVE-2023-32697 would remain. The Debian-packaged reverse dependencies of the > package are mainly used in a single-user environment, but possibly it is also > used in a network environment by some users for their own programs, and this > is > where there might be some hazard. > > [ Tests ] > The package was built in a Bookworm chroot and its autopkgtest is passing. > > [ Risks ] > Code is very simple, only 2 lines are changed. Upstream has published it > three weeks ago and it has issued new upstream versions since then. > > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable > [X] the issue is verified as fixed in unstable > > [ Changes ] > Cherry-picking commit edb4b8adc2447bc04e05b9b908195a4bc7926242 from upstream, > which uses a random UUID instead of the hash of some fixed address in order to > define the DB file name. > > > > Thanks for your help, > > Best, > > -- > Pierre
> diff -Nru xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog > --- xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-02-04 > 14:24:45.000000000 +0100 > +++ xerial-sqlite-jdbc-3.40.1.0+dfsg/debian/changelog 2023-06-13 > 23:19:59.000000000 +0200 > @@ -1,3 +1,9 @@ > +xerial-sqlite-jdbc (3.40.1.0+dfsg-1+deb12u1) bookworm; urgency=medium > + > + * Using a random UUID for the connection (Fixes CVE-2023-32697 in Bookworm) > + > + -- Pierre Gruet <p...@debian.org> Tue, 13 Jun 2023 23:19:59 +0200 Can you as well add the Debian bug closer for #1036706 here? Regards, Salvatore