1. Forum
  2. Usenet
  3. COMP.UNIX.BSD.FREEBSD.MIS

  • pkg audit flags sqlite3 3.50.2_1,1 but description says not?

    From Winston@21:1/5 to All on Fri Aug 1 03:39:20 2025
    https://vuxml.freebsd.org/freebsd/f51077bd-6dd7-11f0-9d62-b42e991fc52e.html says that sqlite3 after 3.39.2 and before 3.41.1 is vulnerable,
    but "pkg audit" flags the current version (3.50.2_1,1) as at risk.
    Is that a problem in the audit tests or the vulnerabililty description?

    (Somewhat unusually, the "Affected packages" description has 2 lines:
    "3.39.2 < sqlite3" and "sqlite3 < 3.41.1" rather than 1 line
    "3.39.2 < sqlite3 < 3.41.1", suggesting 2 audit rules instead of 1,
    the first of which (by itself) would match 3.50.)
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Winston@21:1/5 to I previously on Sat Aug 9 16:03:45 2025
    I previously asked:
    https://vuxml.freebsd.org/freebsd/f51077bd-6dd7-11f0-9d62-b42e991fc52e.html says that sqlite3 after 3.39.2 and before 3.41.1 is vulnerable,
    but "pkg audit" flags the current version (3.50.2_1,1) as at risk.
    Is that a problem in the audit tests or the vulnerabililty description?

    (Somewhat unusually, the "Affected packages" description has 2 lines:
    "3.39.2 < sqlite3" and "sqlite3 < 3.41.1" rather than 1 line
    "3.39.2 < sqlite3 < 3.41.1", suggesting 2 audit rules instead of 1,
    the first of which (by itself) would match 3.50.)

    This audit alert went away on its own with no change to the installed
    sqlite3, so it looks like this was indeed a mistake in the initial audit
    test rules.
    -WBE

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)