moderate: bind/sqlite security update
An update for bind/sqlite is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
bind: This package provides debug information for package bind-libs. Debug information is useful when developing applications that use this package or when debugging this package.
sqlite: This package provides debug information for package lemon. Debug information is useful when developing applications that use this package or when debugging this package.
bind: A flaw was found in bind when an asterisk character is present in an empty non-terminal location within the DNS graph. This flaw could trigger an assertion failure, causing bind to crash. The highest threat from this vulnerability is to system availability.(CVE-2020-8619)
bind: A flaw was found in bind. An assertion failure can occur when trying to verify a truncated response to a TSIG-signed request. The highest threat from this vulnerability is to system availability.(CVE-2020-8622)
bind: A flaw was found in bind. An assertion failure can occur when a specially crafted query for a zone signed with an RSA key. BIND must be compiled with "--enable-native-pkcs11" for the system to be affected. The highest threat from this vulnerability is to system availability.(CVE-2020-8623)
bind: A flaw was found in bind. Updates to "Update-policy" rules of type "subdomain" are treated as if they were of type "zonesub" which allows updates to all parts of the zone along with the intended subdomain. The highest threat from this vulnerability is to data integrity.(CVE-2020-8624)
sqlite: An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.(CVE-2019-5018)
sqlite: In SQLite through 3.29.0, whereLoopAddBtreeIndex in sqlite3.c can crash a browser or other application because of missing validation of a sqlite_stat1 sz field, aka a "severe division by zero in the query planner."(CVE-2019-16168)
sqlite: A NULL pointer dereference was found in SQLite in the way it executes select statements with column optimizations. An attacker who is able to execute SQL statements can use this flaw to crash the application.(CVE-2020-9327)
sqlite: ctExpander in select.c in SQLite 3.30.1 proceeds with WITH stack unwinding even after a parsing error.(CVE-2019-20218)
sqlite: A use-after-free vulnerability was found in the SQLite FTS3 extension module in the way it implemented the snippet function. This flaw allows an attacker who can execute SQL statements to crash the application or potentially execute arbitrary code.(CVE-2020-13630)
sqlite: A flaw was found in the virtual table implementation of SQLite. This flaw allows an attacker who can execute SQL statements to rename a virtual table to the name of one of its shadow tables, leading to potential data corruption.(CVE-2020-13631)
sqlite: A NULL pointer dereference flaw was found in the matchinfo auxiliary function of the SQLite FTS3 extension module. This flaw allows an attacker who can execute SQL statements to crash the application, resulting in a denial of service.(CVE-2020-13632)
sqlite: An out-of-bounds read vulnerability was found in the SQLite component of the Chromium browser. A remote attacker could abuse this flaw to obtain potentially sensitive information from process memory via a crafted HTML page. The highest threat from this vulnerability is to data confidentiality.(CVE-2020-6405)
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Remember the build tag is 6.02.50B5.