Mailu 1.5: Security vulnerability in SQLite

[kaiyou]

Security vulnerability was reported here: https://blade.tencent.com/magellan/index_en.html

It is unclear if Mailu is affected, given no details are provided regarding the actual bug or exploit code. However, our images should be rebuilt as soon as package updates are available for Alpine and Debian.

Update 29-01-2019

• mailu:master was updated around 02-01-2019;
• mailu:1.5 was updated around 28-01-2019;

User that are running snapshots of those branches are advised to pull the latest images:

docker-compose pull
docker-compose up -d

• mailu:1.6 uses SQLite 3.25.3 since release and was therefore not affected by this.

This issue will remain open as announcement and will be closed on month from now. -- @muhlemmer

[muhlemmer]

So, some more investigations. Python3 depends on sqlite-libs, which reflects the currents SQLite package version. (alpine sub-package).

Alpine edge:

>>> sqlite3.sqlite_version
'3.26.0'

Alpine 3.8:

>>> sqlite3.sqlite_version
'3.25.3'

Alpine 3.7:

>>> sqlite3.sqlite_version
'3.21.0'

So on Mailu:master we are OK. 1.5 is still exposed.

It seems Alpine has patched SQLite for 3.7, 6 days ago:
https://git.alpinelinux.org/aports/commit/main/sqlite?h=3.7-stable&id=63ebe94564a865e66f3ee37fa683ce8edd3d19c6

However, the sqlite package has not yet been build and is still at version 3.21
https://pkgs.alpinelinux.org/package/v3.7/main/x86_64/sqlite

I've contacted #alpine-devel on IRC, hopefully they can trigger a build.

[muhlemmer]

This issue will be removed from the 1.6 milestone, as it is fixed in master. It will remain open for now on 1.5.

[muhlemmer]

Edited original post from @kaiyou. Triggering CC notification by this message.

[hoellen]

@muhlemmer Finally the sqlite package was updated to 3.25.3 yesterday. So I think after a rebuild we can close this issue.

[muhlemmer]

Rebuild is done and I've updated to top post. I'd prefer to keep this open for a while, so that users are still informed properly.