| Description: | Summary:
The remote host is missing an update for the Debian 'sqlite3' package(s) announced via the DLA-1633-1 advisory.
Vulnerability Insight:
Several flaws were corrected in SQLite, an SQL database engine.
CVE-2017-2518
A use-after-free bug in the query optimizer may cause a buffer overflow and application crash via a crafted SQL statement.
CVE-2017-2519
Insufficient size of the reference count on Table objects could lead to a denial-of-service or arbitrary code execution.
CVE-2017-2520
The sqlite3_value_text() interface returned a buffer that was not large enough to hold the complete string plus zero terminator when the input was a zeroblob. This could lead to arbitrary code execution or a denial-of-service.
CVE-2017-10989
SQLite mishandles undersized RTree blobs in a crafted database leading to a heap-based buffer over-read or possibly unspecified other impact.
CVE-2018-8740
Databases whose schema is corrupted using a CREATE TABLE AS statement could cause a NULL pointer dereference.
For Debian 8 Jessie, these problems have been fixed in version 3.8.7.1-1+deb8u4.
We recommend that you upgrade your sqlite3 packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]
Affected Software/OS:
'sqlite3' package(s) on Debian 8.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
