## qmi (li...@miklos.info): > > > This vulnerability seems to have been already handled. See URL: > > > https://security-tracker.debian.org/tracker/TEMP-0566326-9A899F > > > > No, we should deal with it in stable release, so tracking is important. > > > Please check the link above once again.
Oh well, let's do that, by all means: - the description reads "sqlite: info leak" - that's not the remote code execution Tencent has found. - following the linked bug #566326 - which is from 2010 - the title is "xulrunner-1.9: iceweasel "clear private data" leaves traces on disk due to linkage to system libsqlite3 instead of embedded copy" I conclude that "TEMP-0566326-9A899F" is not the vulnerability Tencent as dubbed "Magellan". Further, "TEMP-0566326-9A899F" claims sqlite3 package 3.16.2-5+deb9u1 as "fixed" - on the first machine I checked, that version had been installed somewhat overan year ago, according to dpkg.log (on 2017-12-09, to be more exact). (It would be entirely possible that 3.16 is just too old to be vulnerable - but no such luck, read on). In fact, PTS at https://tracker.debian.org/pkg/sqlite3 lists "2 security issues in stretch", one of which is "TEMP-0000000-AAC0D0" with description ""Magellan" remote code execution vulnerability". That one lists sqlite3 version 3.26.0 as vulnerable - which, according to all available sources - is the fixed version (Tencent: "If your product uses SQLite, please update to 3.26.0"). I guess this will need fixing? The fact that Tencent's announcement is thin on detail and thick on alarum (and we have no official tracking reference and no statement from SQLite themselves (except a few twitter blurbs)) makes this harder than it should be... Regards, Christoph -- Spare Space