New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mailu 1.5: Security vulnerability in SQLite #748
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
So, some more investigations. Python3 depends on sqlite-libs, which reflects the currents SQLite package version. (alpine sub-package). Alpine edge:
Alpine 3.8:
Alpine 3.7:
So on It seems Alpine has patched SQLite for 3.7, 6 days ago: However, the sqlite package has not yet been build and is still at version 3.21 I've contacted |
This issue will be removed from the |
Edited original post from @kaiyou. Triggering CC notification by this message. |
@muhlemmer Finally the sqlite package was updated to 3.25.3 yesterday. So I think after a rebuild we can close this issue. |
Rebuild is done and I've updated to top post. I'd prefer to keep this open for a while, so that users are still informed properly. |
Security vulnerability was reported here: https://blade.tencent.com/magellan/index_en.html
It is unclear if Mailu is affected, given no details are provided regarding the actual bug or exploit code. However, our images should be rebuilt as soon as package updates are available for Alpine and Debian.
Update 29-01-2019
mailu:master
was updated around 02-01-2019;mailu:1.5
was updated around 28-01-2019;User that are running snapshots of those branches are advised to pull the latest images:
mailu:1.6
uses SQLite 3.25.3 since release and was therefore not affected by this.This issue will remain open as announcement and will be closed on month from now. -- @muhlemmer
The text was updated successfully, but these errors were encountered: