ID

VAR-201912-1378

CVE

CVE-2019-19603

TITLE

SQLite Vulnerability in

DESCRIPTION

SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. SQLite Contains an unspecified vulnerability.Information is acquired, information is falsified, and denial of service (DoS) May be in a state. (CVE-2018-8740). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.11.0 extras and security update Advisory ID: RHSA-2022:5070-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2022:5070 Issue date: 2022-08-10 CVE Names: CVE-2018-25032 CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-17594 CVE-2019-17595 CVE-2019-18218 CVE-2019-18874 CVE-2019-19603 CVE-2019-20838 CVE-2020-13435 CVE-2020-14155 CVE-2020-24370 CVE-2020-28493 CVE-2021-3580 CVE-2021-3634 CVE-2021-3737 CVE-2021-4189 CVE-2021-20095 CVE-2021-20231 CVE-2021-20232 CVE-2021-23177 CVE-2021-25219 CVE-2021-31566 CVE-2021-36084 CVE-2021-36085 CVE-2021-36086 CVE-2021-36087 CVE-2021-38561 CVE-2021-40528 CVE-2021-42771 CVE-2022-0778 CVE-2022-1271 CVE-2022-1621 CVE-2022-1629 CVE-2022-1706 CVE-2022-1729 CVE-2022-21698 CVE-2022-22576 CVE-2022-23772 CVE-2022-23773 CVE-2022-23806 CVE-2022-24407 CVE-2022-24675 CVE-2022-24903 CVE-2022-24921 CVE-2022-25313 CVE-2022-25314 CVE-2022-27191 CVE-2022-27774 CVE-2022-27776 CVE-2022-27782 CVE-2022-28327 CVE-2022-29162 CVE-2022-29824 ==================================================================== 1. Summary: Red Hat OpenShift Container Platform release 4.11.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.11. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.11.0. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHSA-2022:5068 Security Fix(es): * golang: out-of-bounds read in golang.org/x/text/language leads to DoS (CVE-2021-38561) * prometheus/client_golang: Denial of service using InstrumentHandlerCounter (CVE-2022-21698) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. All OpenShift Container Platform 4.11 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html 3. Solution: For OpenShift Container Platform 4.11 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2042536 - OCP 4.10: nfd-topology-updater daemonset fails to get created on worker nodes - forbidden: unable to validate against any security context constraint 2042652 - Unable to deploy hw-event-proxy operator 2045880 - CVE-2022-21698 prometheus/client_golang: Denial of service using InstrumentHandlerCounter 2047308 - Remove metrics and events for master port offsets 2055049 - No pre-caching for NFD images 2055436 - nfd-master tracking the wrong api group 2055439 - nfd-master tracking the wrong api group (operand) 2057569 - nfd-worker: drop 'custom-' prefix from matchFeatures custom rules 2058256 - LeaseDuration for NFD Operator seems to be rather small, causing Operator restarts when running etcd defrag 2062849 - hw event proxy is not binding on ipv6 local address 2066860 - Wrong spec in NFD documentation under `operand` 2066887 - Dependabot alert: Path traversal in github.com/valyala/fasthttp 2066889 - Dependabot alert: Path traversal in github.com/valyala/fasthttp 2067312 - PPT event source is lost when received by the consumer 2077243 - NFD os release label lost after upgrade to ocp 4.10.6 2087511 - NFD SkipRange is wrong causing OLM install problems 2089962 - Node feature Discovery operator installation failed. 2090774 - Add Readme to plugin directory 2091106 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3 2091142 - Dependabot alert: Unhandled exception in gopkg.in/yaml.v3 2100495 - CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYvOfLtzjgjWX9erEAQh7aQ//QAKxZilehv3o6x6Iw6VhjUan4BQK62o0 wOxUKHXbDxB+QT9oHOm2w0C1K1FOGrPcDlkOw9oIK5KS8gWUyNL5r2NjZ0FH0/wu oLIXIZ94BB5cIcpiQx7LtljFjDl0dp2/NlTV5KHKtZrCkm68/e4Xh35tYJK+NL1a 9hTqoXgH07TiUYhOORKig9Sa90tDodWWLs3M6pGri8SrOwUWXz7AuN0p2hD0AKNj 2UxAWrmviYLrNzmBEg9gIjZRF7D8cog/60Wu0cWT2GlRj1oFIv0Dj3KvTvQFq2gH JEOB+eNVlShqoXF8WTuJy358hVOO3ybeCO9M+w6jXJnM4tXttPp5J0CHuxc+SrH3 YfoqG/OaAuNz0r2ZwPj+LxL9isN0JtKvGZgZJIVi//1JWk1Jc9IAJrNJukqL6Nr9 iHojxb9Exk1EGllrpashh70KBZ+uTU94SctLeXyXIENuHq0pPGym6SbQfcnN3Ntq 8eOxHaBmY5uZPfTAuNFSmT+uK1Fia+IsbCZ/6a1A5VNR2zAk4LtGV8JbM/Vzwnwi cDFaurOrKAZRq6L9v6i2/DuNKUlaqoKCF8Mp1RyONTy1cxkb34Yzm189JPsqbM02 GDIdDSqVb8vMzdVjSoMmYJ3rBsMbB6pw+B8VbhIMcYkyC/TOZ8Z1uD/tnpGtUTgf eR+IlWwr9oE=ftiF -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 5. Description: Red Hat Advanced Cluster Management for Kubernetes 2.2.11 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console — with security policy built in. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/ Security updates: * object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256 (CVE-2021-23434) * follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor (CVE-2022-0155) Related bugs: * RHACM 2.2.11 images (Bugzilla #2029508) * ClusterImageSet has 4.5 which is not supported in ACM 2.2.10 (Bugzilla #2030859) 3. Bugs fixed (https://bugzilla.redhat.com/): 1999810 - CVE-2021-23434 object-path: Type confusion vulnerability can lead to a bypass of CVE-2020-15256 2029508 - RHACM 2.2.11 images 2030859 - ClusterImageSet has 4.5 which is not supported in ACM 2.2.10 2044556 - CVE-2022-0155 follow-redirects: Exposure of Private Personal Information to an Unauthorized Actor 5. ========================================================================== Ubuntu Security Notice USN-4394-1 June 10, 2020 sqlite3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 19.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in SQLite. Software Description: - sqlite3: C library that implements an SQL database engine Details: It was discovered that SQLite incorrectly handled certain corruped schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19603) It was discovered that SQLite incorrectly handled certain self-referential views. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19645) Henry Liu discovered that SQLite incorrectly handled certain malformed window-function queries. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-11655) It was discovered that SQLite incorrectly handled certain string operations. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13434) It was discovered that SQLite incorrectly handled certain expressions. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13435) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13630) It was discovered that SQLite incorrectly handled certain virtual table names. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13631) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13632) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libsqlite3-0 3.31.1-4ubuntu0.1 sqlite3 3.31.1-4ubuntu0.1 Ubuntu 19.10: libsqlite3-0 3.29.0-2ubuntu0.3 sqlite3 3.29.0-2ubuntu0.3 Ubuntu 18.04 LTS: libsqlite3-0 3.22.0-1ubuntu0.4 sqlite3 3.22.0-1ubuntu0.4 Ubuntu 16.04 LTS: libsqlite3-0 3.11.0-1ubuntu1.5 sqlite3 3.11.0-1ubuntu1.5 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4394-1 CVE-2018-8740, CVE-2019-19603, CVE-2019-19645, CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 Package Information: https://launchpad.net/ubuntu/+source/sqlite3/3.31.1-4ubuntu0.1 https://launchpad.net/ubuntu/+source/sqlite3/3.29.0-2ubuntu0.3 https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.4 https://launchpad.net/ubuntu/+source/sqlite3/3.11.0-1ubuntu1.5 . Bugs fixed (https://bugzilla.redhat.com/): 1983596 - CVE-2021-34558 golang: crypto/tls: certificate of wrong type is causing TLS client to panic 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet 1997017 - unprivileged client fails to get guest agent data 1998855 - Node drain: Sometimes source virt-launcher pod status is Failed and not Completed 2000251 - RoleBinding and ClusterRoleBinding brought in by kubevirt does not get reconciled when kind is ServiceAccount 2001270 - [VMIO] [Warm from Vmware] Snapshot files are not deleted after Successful Import 2001281 - [VMIO] [Warm from VMware] Source VM should not be turned ON if vmio import is removed 2001901 - [4.8.3] NNCP creation failures after nmstate-handler pod deletion 2007336 - 4.8.3 containers 2007776 - Failed to Migrate Windows VM with CDROM (readonly) 2008511 - [CNV-4.8.3] VMI is in LiveMigrate loop when Upgrading Cluster from 2.6.7/4.7.32 to OCP 4.8.13 2012890 - With descheduler during multiple VMIs migrations, some VMs are restarted 2025475 - [4.8.3] Upgrade from 2.6 to 4.x versions failed due to vlan-filtering issues 2026881 - [4.8.3] vlan-filtering is getting applied on veth ports 5. Summary: The Migration Toolkit for Containers (MTC) 1.5.2 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Solution: For details on how to install and use MTC, refer to: https://docs.openshift.com/container-platform/latest/migration_toolkit_for_containers/installing-mtc.html 4. Bugs fixed (https://bugzilla.redhat.com/): 2000734 - CVE-2021-3757 nodejs-immer: prototype pollution may lead to DoS or remote code execution 2005438 - Combining Rsync and Stunnel in a single pod can degrade performance (1.5 backport) 2006842 - MigCluster CR remains in "unready" state and source registry is inaccessible after temporary shutdown of source cluster 2007429 - "oc describe" and "oc log" commands on "Migration resources" tree cannot be copied after failed migration 2022017 - CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC) 5. Summary: An update is now available for OpenShift Logging 5.2. Bugs fixed (https://bugzilla.redhat.com/): 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1857 - OpenShift Alerting Rules Style-Guide Compliance LOG-1904 - [release-5.2] Fix the Display of ClusterLogging type in OLM LOG-1916 - [release-5.2] Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server 6

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-02-05T14:29:59.256000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE