Security update for sqlite3

Announcement ID: SUSE-SU-2021:3215-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2015-3414 ( SUSE ): 4.4 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H
  • CVE-2015-3415 ( SUSE ): 6.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
  • CVE-2016-6153 ( NVD ): 5.9 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
  • CVE-2017-10989 ( SUSE ): 3.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:L
  • CVE-2017-10989 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-2518 ( SUSE ): 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2017-2518 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-20346 ( SUSE ): 7.0 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-20346 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2018-8740 ( SUSE ): 4.0 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • CVE-2018-8740 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-16168 ( SUSE ): 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-16168 ( NVD ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
  • CVE-2019-19244 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19244 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19317 ( SUSE ): 4.0 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2019-19317 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-19603 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19603 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19645 ( SUSE ): 5.1 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19645 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19646 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-19646 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-19880 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19923 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2019-19923 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19924 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2019-19924 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVE-2019-19925 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
  • CVE-2019-19925 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19926 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19926 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-19959 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
  • CVE-2019-19959 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2019-20218 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-20218 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2019-8457 ( SUSE ): 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
  • CVE-2019-8457 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2019-8457 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-13434 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-13434 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-13435 ( SUSE ): 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
  • CVE-2020-13435 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-13630 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
  • CVE-2020-13630 ( NVD ): 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CVE-2020-13631 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-13631 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-13632 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2020-13632 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-15358 ( SUSE ): 6.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
  • CVE-2020-15358 ( NVD ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-9327 ( SUSE ): 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
  • CVE-2020-9327 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • HPE Helion OpenStack 8
  • SUSE Linux Enterprise High Performance Computing 12 SP2
  • SUSE Linux Enterprise High Performance Computing 12 SP3
  • SUSE Linux Enterprise High Performance Computing 12 SP4
  • SUSE Linux Enterprise High Performance Computing 12 SP5
  • SUSE Linux Enterprise Server 12 SP2
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
  • SUSE Linux Enterprise Server 12 SP3
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
  • SUSE Linux Enterprise Server 12 SP4
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
  • SUSE Linux Enterprise Server 12 SP5
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • SUSE Linux Enterprise Software Development Kit 12 SP5
  • SUSE OpenStack Cloud 8
  • SUSE OpenStack Cloud 9
  • SUSE OpenStack Cloud Crowbar 8
  • SUSE OpenStack Cloud Crowbar 9

An update that solves 28 vulnerabilities and contains one feature can now be installed.

Description:

This update for sqlite3 fixes the following issues:

sqlite3 is sync version 3.36.0 from Factory (jsc#SLE-16032).

The following CVEs have been fixed in upstream releases up to this point, but were not mentioned in the change log so far:

  • bsc#1173641, CVE-2020-15358: heap-based buffer overflow in multiSelectOrderBy due to mishandling of query-flattener optimization
  • bsc#1164719, CVE-2020-9327: NULL pointer dereference and segmentation fault because of generated column optimizations in isAuxiliaryVtabOperator
  • bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds with WITH stack unwinding even after a parsing error
  • bsc#1160438, CVE-2019-19959: memory-management error via ext/misc/zipfile.c involving embedded '\0' input
  • bsc#1160309, CVE-2019-19923: improper handling of certain uses of SELECT DISTINCT in flattenSubquery may lead to null pointer dereference
  • bsc#1159850, CVE-2019-19924: improper error handling in sqlite3WindowRewrite()
  • bsc#1159847, CVE-2019-19925: improper handling of NULL pathname during an update of a ZIP archive
  • bsc#1159715, CVE-2019-19926: improper handling of certain errors during parsing multiSelect in select.c
  • bsc#1159491, CVE-2019-19880: exprListAppendList in window.c allows attackers to trigger an invalid pointer dereference
  • bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE and CREATE VIEW statements, does not consider confusion with a shadow table name
  • bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an integrity_check PRAGMA command in certain cases of generated columns
  • bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger infinite recursion via certain types of self-referential views in conjunction with ALTER TABLE statements
  • bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits from the colUsed bitmask in the case of a generated column, which allows attackers to cause a denial of service
  • bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The function sqlite3Select in select.c allows a crash if a sub-select uses both DISTINCT and window functions, and also has certain ORDER BY usage
  • bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator vulnerability
  • bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of collation-sequence names
  • CVE-2020-13434 bsc#1172115: integer overflow in sqlite3_str_vappendf
  • CVE-2020-13630 bsc#1172234: use-after-free in fts3EvalNextRow
  • CVE-2020-13631 bsc#1172236: virtual table allowed to be renamed to one of its shadow tables
  • CVE-2020-13632 bsc#1172240: NULL pointer dereference via crafted matchinfo() query
  • CVE-2020-13435: Malicious SQL statements could have crashed the process that is running SQLite (bsc#1172091)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • HPE Helion OpenStack 8
    zypper in -t patch HPE-Helion-OpenStack-8-2021-3215=1
  • SUSE OpenStack Cloud 8
    zypper in -t patch SUSE-OpenStack-Cloud-8-2021-3215=1
  • SUSE OpenStack Cloud 9
    zypper in -t patch SUSE-OpenStack-Cloud-9-2021-3215=1
  • SUSE OpenStack Cloud Crowbar 8
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-3215=1
  • SUSE OpenStack Cloud Crowbar 9
    zypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-3215=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3
    zypper in -t patch SUSE-SLE-SAP-12-SP3-2021-3215=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP4
    zypper in -t patch SUSE-SLE-SAP-12-SP4-2021-3215=1
  • SUSE Linux Enterprise Software Development Kit 12 SP5
    zypper in -t patch SUSE-SLE-SDK-12-SP5-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2
    zypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP3 BCL 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP3 ESPOS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-ESPOS-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP3 LTSS 12-SP3
    zypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-ESPOS-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4
    zypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-3215=1
  • SUSE Linux Enterprise High Performance Computing 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1
  • SUSE Linux Enterprise Server 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP5
    zypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-3215=1

Package List:

  • HPE Helion OpenStack 8 (x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE OpenStack Cloud 8 (x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE OpenStack Cloud 9 (x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE OpenStack Cloud Crowbar 8 (x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE OpenStack Cloud Crowbar 9 (x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (ppc64le x86_64)
    • libsqlite3-0-debuginfo-3.36.0-9.18.1
    • libsqlite3-0-3.36.0-9.18.1
    • sqlite3-debugsource-3.36.0-9.18.1
    • sqlite3-3.36.0-9.18.1
    • sqlite3-devel-3.36.0-9.18.1
    • sqlite3-debuginfo-3.36.0-9.18.1
  • SUSE Linux Enterprise Server for SAP Applications 12 SP3 (x86_64)
    • libsqlite3-0-32bit-3.36.0-9.18.1
    • libsqlite3-0-debuginfo-32bit-3.36.0-9.18.1