SUSE-SU-2022:3401-1: moderate: Security update for sqlite3
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Mon Sep 26 19:25:14 UTC 2022
SUSE Security Update: Security update for sqlite3
______________________________________________________________________________
Announcement ID: SUSE-SU-2022:3401-1
Rating: moderate
References: #1189802 #1195773 #1201783
Cross-References: CVE-2021-36690 CVE-2022-35737
CVSS scores:
CVE-2021-36690 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2021-36690 (SUSE): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVE-2022-35737 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2022-35737 (SUSE): 6.3 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Affected Products:
SUSE Linux Enterprise Server 12-SP2-BCL
SUSE Linux Enterprise Server 12-SP3-BCL
SUSE Linux Enterprise Server 12-SP4-LTSS
SUSE Linux Enterprise Server 12-SP5
SUSE Linux Enterprise Server for SAP 12-SP4
SUSE Linux Enterprise Server for SAP Applications 12-SP5
SUSE Linux Enterprise Software Development Kit 12-SP5
SUSE OpenStack Cloud 9
SUSE OpenStack Cloud Crowbar 9
______________________________________________________________________________
An update that solves two vulnerabilities and has one
errata is now available.
Description:
This update for sqlite3 fixes the following issues:
Security issues fixed:
- CVE-2022-35737: Fixed an array-bounds overflow if billions of bytes are
used in a string argument to a C API (bnc#1201783).
- CVE-2021-36690: Fixed an issue with the SQLite Expert extension when a
column has no collating sequence (bsc#1189802).
- Package the Tcl bindings here again so that we only ship one copy of
SQLite (bsc#1195773).
sqlite3 was update to 3.39.3:
* Use a statement journal on DML statement affecting two or more database
rows if the statement makes use of a SQL functions that might abort.
* Use a mutex to protect the PRAGMA temp_store_directory and PRAGMA
data_store_directory statements, even though they are decremented and
documented as not being threadsafe.
Update to 3.39.2:
* Fix a performance regression in the query planner associated with
rearranging the order of FROM clause terms in the presences of a LEFT
JOIN.
* Apply fixes for CVE-2022-35737, Chromium bugs 1343348 and 1345947, forum
post 3607259d3c, and other minor problems discovered by internal
testing. [boo#1201783]
Update to 3.39.1:
* Fix an incorrect result from a query that uses a view that contains a
compound SELECT in which only one arm contains a RIGHT JOIN and where
the view is not the first FROM clause term
of the query that contains the view
* Fix a long-standing problem with ALTER TABLE RENAME that can
only arise if the sqlite3_limit(SQLITE_LIMIT_SQL_LENGTH) is set to a
very small value.
* Fix a long-standing problem in FTS3 that can only arise when compiled
with the SQLITE_ENABLE_FTS3_PARENTHESIS compile-time
option.
* Fix the initial-prefix optimization for the REGEXP extension so that it
works correctly even if the prefix contains characters that require a
3-byte UTF8 encoding.
* Enhance the sqlite_stmt virtual table so that it buffers all of its
output.
Update to 3.39.0:
* Add (long overdue) support for RIGHT and FULL OUTER JOIN
* Add new binary comparison operators IS NOT DISTINCT FROM and IS DISTINCT
FROM that are equivalent to IS and IS NOT, respective, for compatibility
with PostgreSQL and SQL standards
* Add a new return code (value "3") from the sqlite3_vtab_distinct()
interface that indicates a query that has both DISTINCT and ORDER BY
clauses
* Added the sqlite3_db_name() interface
* The unix os interface resolves all symbolic links in database filenames
to create a canonical name for the database before the file is opened
* Defer materializing views until the materialization is actually needed,
thus avoiding unnecessary work if the materialization turns out to never
be used
* The HAVING clause of a SELECT statement is now allowed on any aggregate
query, even queries that do not have a GROUP BY clause
* Many microoptimizations collectively reduce CPU cycles by about 2.3%.
Update to 3.38.5:
* Fix a blunder in the CLI of the 3.38.4 release
Update to 3.38.4:
* fix a byte-code problem in the Bloom filter pull-down
optimization added by release 3.38.0 in which an error in the byte code
causes the byte code engine to enter an infinite loop when the
pull-down optimization encounters a NULL key
Update to 3.38.3:
* Fix a case of the query planner be overly aggressive with
optimizing automatic-index and Bloom-filter construction, using
inappropriate ON clause terms to restrict the size of the
automatic-index or Bloom filter, and resulting in missing rows in the
output.
* Other minor patches. See the timeline for details.
Update to 3.38.2:
* Fix a problem with the Bloom filter optimization that might cause an
incorrect answer when doing a LEFT JOIN with a WHERE clause constraint
that says that one of the columns on the right table of the LEFT JOIN is
NULL.
* Other minor patches.
- Package the Tcl bindings here again so that we only ship one copy
of SQLite (bsc#1195773).
Update to 3.38.1:
* Fix problems with the new Bloom filter optimization that might cause
some obscure queries to get an incorrect answer.
* Fix the localtime modifier of the date and time functions so that it
preserves fractional seconds.
* Fix the sqlite_offset SQL function so that it works correctly even in
corner cases such as when the argument is a virtual column or the column
of a view.
* Fix row value IN operator constraints on virtual tables so that they
work correctly even if the virtual table implementation relies on
bytecode to filter rows that do not satisfy the constraint.
* Other minor fixes to assert() statements, test cases, and documentation.
See the source code timeline for details.
Update to 3.38.0
* Add the -> and ->> operators for easier processing of JSON
* The JSON functions are now built-ins
* Enhancements to date and time functions
* Rename the printf() SQL function to format() for better compatibility,
with alias for backwards compatibility.
* Add the sqlite3_error_offset() interface for helping localize an SQL
error to a specific character in the input SQL text
* Enhance the interface to virtual tables
* CLI columnar output modes are enhanced to correctly handle tabs and
newlines embedded in text, and add options like "--wrap N", "--wordwrap
on", and "--quote" to the columnar output modes.
* Query planner enhancements using a Bloom filter to speed up large
analytic queries, and a balanced merge tree to evaluate UNION or UNION
ALL compound SELECT statements that have an ORDER BY clause.
* The ALTER TABLE statement is changed to silently ignores entries in the
sqlite_schema table that do not parse when PRAGMA writable_schema=ON
Update to 3.37.2:
* Fix a bug introduced in version 3.35.0 (2021-03-12) that can cause
database corruption if a SAVEPOINT is rolled back while in PRAGMA
temp_store=MEMORY mode, and other changes are made, and then the outer
transaction commits
* Fix a long-standing problem with ON DELETE CASCADE and ON UPDATE CASCADE
in which a cache of the bytecode used to implement the cascading change
was not being reset following a local DDL change
Update to 3.37.1:
* Fix a bug introduced by the UPSERT enhancements of version 3.35.0 that
can cause incorrect byte-code to be generated for some obscure but valid
SQL, possibly resulting in a NULL- pointer dereference.
* Fix an OOB read that can occur in FTS5 when reading corrupt database
files.
* Improved robustness of the --safe option in the CLI.
* Other minor fixes to assert() statements and test cases.
Update to 3.37.0:
* STRICT tables provide a prescriptive style of data type management, for
developers who prefer that kind of thing.
* When adding columns that contain a CHECK constraint or a generated
column containing a NOT NULL constraint, the ALTER TABLE ADD COLUMN now
checks new constraints against preexisting rows in the database and will
only proceed if no constraints are violated.
* Added the PRAGMA table_list statement.
* Add the .connection command, allowing the CLI to keep multiple database
connections open at the same time.
* Add the --safe command-line option that disables dot-commands and SQL
statements that might cause side-effects that extend beyond the single
database file named on the command-line.
* CLI: Performance improvements when reading SQL statements that span many
lines.
* Added the sqlite3_autovacuum_pages() interface.
* The sqlite3_deserialize() does not and has never worked for the TEMP
database. That limitation is now noted in the documentation.
* The query planner now omits ORDER BY clauses on subqueries and views if
removing those clauses does not change the semantics
of the query.
* The generate_series table-valued function extension is modified so that
the first parameter ("START") is now required. This is done as a way to
demonstrate how to write table-valued functions with required
parameters. The legacy behavior is available using the
-DZERO_ARGUMENT_GENERATE_SERIES compile-time option.
* Added new sqlite3_changes64() and sqlite3_total_changes64() interfaces.
* Added the SQLITE_OPEN_EXRESCODE flag option to sqlite3_open_v2().
* Use less memory to hold the database schema.
* bsc#1189802, CVE-2021-36690: Fix an issue with the SQLite Expert
extension when a column has no collating sequence.
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- SUSE OpenStack Cloud Crowbar 9:
zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2022-3401=1
- SUSE OpenStack Cloud 9:
zypper in -t patch SUSE-OpenStack-Cloud-9-2022-3401=1
- SUSE Linux Enterprise Software Development Kit 12-SP5:
zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-3401=1
- SUSE Linux Enterprise Server for SAP 12-SP4:
zypper in -t patch SUSE-SLE-SAP-12-SP4-2022-3401=1
- SUSE Linux Enterprise Server 12-SP5:
zypper in -t patch SUSE-SLE-SERVER-12-SP5-2022-3401=1
- SUSE Linux Enterprise Server 12-SP4-LTSS:
zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2022-3401=1
- SUSE Linux Enterprise Server 12-SP3-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2022-3401=1
- SUSE Linux Enterprise Server 12-SP2-BCL:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2022-3401=1
Package List:
- SUSE OpenStack Cloud Crowbar 9 (x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE OpenStack Cloud 9 (x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64):
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
- SUSE Linux Enterprise Server for SAP 12-SP4 (ppc64le x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE Linux Enterprise Server for SAP 12-SP4 (x86_64):
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP5 (aarch64 ppc64le s390x x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP5 (s390x x86_64):
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP4-LTSS (aarch64 ppc64le s390x x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP4-LTSS (s390x x86_64):
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP3-BCL (x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
- SUSE Linux Enterprise Server 12-SP2-BCL (x86_64):
libsqlite3-0-3.39.3-9.23.1
libsqlite3-0-32bit-3.39.3-9.23.1
libsqlite3-0-debuginfo-3.39.3-9.23.1
libsqlite3-0-debuginfo-32bit-3.39.3-9.23.1
sqlite3-3.39.3-9.23.1
sqlite3-debuginfo-3.39.3-9.23.1
sqlite3-debugsource-3.39.3-9.23.1
sqlite3-devel-3.39.3-9.23.1
sqlite3-tcl-3.39.3-9.23.1
References:
https://www.suse.com/security/cve/CVE-2021-36690.html
https://www.suse.com/security/cve/CVE-2022-35737.html
https://bugzilla.suse.com/1189802
https://bugzilla.suse.com/1195773
https://bugzilla.suse.com/1201783
More information about the sle-security-updates
mailing list