ID

VAR-201912-1378

CVE

CVE-2019-19603

TITLE

Red Hat Security Advisory 2021-5128-06

DESCRIPTION

SQLite 3.30.1 mishandles certain SELECT statements with a nonexistent VIEW, leading to an application crash. It exists that SQLite incorrectly handled certain corruped schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-8740). Bugs fixed (https://bugzilla.redhat.com/): 1944888 - CVE-2021-21409 netty: Request smuggling via content-length header 2004133 - CVE-2021-37136 netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data 2004135 - CVE-2021-37137 netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an unnecessary way 2030932 - CVE-2021-44228 log4j-core: Remote code execution in Log4j 2.x when logs contain an attacker-controlled string value 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1971 - Applying cluster state is causing elasticsearch to hit an issue and become unusable 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: sqlite security update Advisory ID: RHSA-2021:4396-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:4396 Issue date: 2021-11-09 CVE Names: CVE-2019-5827 CVE-2019-13750 CVE-2019-13751 CVE-2019-19603 CVE-2020-13435 ==================================================================== 1. Summary: An update for sqlite is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux BaseOS (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: SQLite is a C library that implements an SQL database engine. A large subset of SQL92 is supported. A complete database is stored in a single disk file. The API is designed for convenience and ease of use. Applications that link against SQLite can enjoy the power and flexibility of an SQL database without the administrative hassles of supporting a separate database server. Security Fix(es): * sqlite: out-of-bounds access due to the use of 32-bit memory allocator interfaces (CVE-2019-5827) * sqlite: dropping of shadow tables not restricted in defensive mode (CVE-2019-13750) * sqlite: fts3: improve detection of corrupted records (CVE-2019-13751) * sqlite: mishandling of certain SELECT statements with non-existent VIEW can lead to DoS (CVE-2019-19603) * sqlite: NULL pointer dereference in sqlite3ExprCodeTarget() (CVE-2020-13435) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.5 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1706805 - CVE-2019-5827 sqlite: out-of-bounds access due to the use of 32-bit memory allocator interfaces 1781997 - CVE-2019-13750 sqlite: dropping of shadow tables not restricted in defensive mode 1781998 - CVE-2019-13751 sqlite: fts3: improve detection of corrupted records 1785318 - CVE-2019-19603 sqlite: mishandling of certain SELECT statements with non-existent VIEW can lead to DoS 1841231 - CVE-2020-13435 sqlite: NULL pointer dereference in sqlite3ExprCodeTarget() 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): aarch64: lemon-3.26.0-15.el8.aarch64.rpm lemon-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-debugsource-3.26.0-15.el8.aarch64.rpm sqlite-libs-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.aarch64.rpm ppc64le: lemon-3.26.0-15.el8.ppc64le.rpm lemon-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-debugsource-3.26.0-15.el8.ppc64le.rpm sqlite-libs-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.ppc64le.rpm s390x: lemon-3.26.0-15.el8.s390x.rpm lemon-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-debugsource-3.26.0-15.el8.s390x.rpm sqlite-libs-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.s390x.rpm x86_64: lemon-3.26.0-15.el8.x86_64.rpm lemon-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-debugsource-3.26.0-15.el8.x86_64.rpm sqlite-libs-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.x86_64.rpm Red Hat Enterprise Linux BaseOS (v. 8): Source: sqlite-3.26.0-15.el8.src.rpm aarch64: lemon-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-3.26.0-15.el8.aarch64.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-debugsource-3.26.0-15.el8.aarch64.rpm sqlite-devel-3.26.0-15.el8.aarch64.rpm sqlite-libs-3.26.0-15.el8.aarch64.rpm sqlite-libs-debuginfo-3.26.0-15.el8.aarch64.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.aarch64.rpm noarch: sqlite-doc-3.26.0-15.el8.noarch.rpm ppc64le: lemon-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-3.26.0-15.el8.ppc64le.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-debugsource-3.26.0-15.el8.ppc64le.rpm sqlite-devel-3.26.0-15.el8.ppc64le.rpm sqlite-libs-3.26.0-15.el8.ppc64le.rpm sqlite-libs-debuginfo-3.26.0-15.el8.ppc64le.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.ppc64le.rpm s390x: lemon-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-3.26.0-15.el8.s390x.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-debugsource-3.26.0-15.el8.s390x.rpm sqlite-devel-3.26.0-15.el8.s390x.rpm sqlite-libs-3.26.0-15.el8.s390x.rpm sqlite-libs-debuginfo-3.26.0-15.el8.s390x.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.s390x.rpm x86_64: lemon-debuginfo-3.26.0-15.el8.i686.rpm lemon-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-3.26.0-15.el8.i686.rpm sqlite-3.26.0-15.el8.x86_64.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.i686.rpm sqlite-analyzer-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-debuginfo-3.26.0-15.el8.i686.rpm sqlite-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-debugsource-3.26.0-15.el8.i686.rpm sqlite-debugsource-3.26.0-15.el8.x86_64.rpm sqlite-devel-3.26.0-15.el8.i686.rpm sqlite-devel-3.26.0-15.el8.x86_64.rpm sqlite-libs-3.26.0-15.el8.i686.rpm sqlite-libs-3.26.0-15.el8.x86_64.rpm sqlite-libs-debuginfo-3.26.0-15.el8.i686.rpm sqlite-libs-debuginfo-3.26.0-15.el8.x86_64.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.i686.rpm sqlite-tcl-debuginfo-3.26.0-15.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-5827 https://access.redhat.com/security/cve/CVE-2019-13750 https://access.redhat.com/security/cve/CVE-2019-13751 https://access.redhat.com/security/cve/CVE-2019-19603 https://access.redhat.com/security/cve/CVE-2020-13435 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.5_release_notes/ 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYYrcp9zjgjWX9erEAQh4VRAAjQa5rkkS0W4z5i8wkU7fmG5l2rfSAOzu ZuhbW2qZ0rGM60jVIkbin6Mw2corOw7FUIWUFxbqv0uD68HFnD9nS+D6DH9nDlJw WsPw6cZnNYhIl4HotGR+34w0mf+5Ld3yJMbAujT7avKV5RMb/qcsr8B42EF1ZX5F tcyriGtur+rKfDOPdeOtZZxTXFAmrlJftwiMViTskZPINmfoT4nutMv4WHCevEu7 cEDJih1x+UsS4cOPfeqBNFYxIFIZun0f6W9VWGZSOz/s06FDbuNY60/tLulU9jDx JzAwKKl1P/nK1u8fKD0prFmsQluqR7fbrpLEbxz3jdK+nRTaxNrni99PYbJhVG9o krCC7AwmSLFH2nGTyOU+/U81yrba5BYXEsb576CM4n0wtumtDJ6n9EITAt7JB90D iS53SxBkZH0YXhAe3vrzu7m8Snz/5wX2eeN1kSfZDMg57xil0tmvLdCtBaVw6sGs ehv5N9tGT+tvCz9BhXdhsbCJWyuFKaQ0XbZmRSrgHrkTZoOdgtTsmJ8tZ1xeFBeS YmS0qXEfAAChNzU4YKhe/JYIdEr6D2mILe1Ojcj6b6m4ja7xJmvPmnv4j2Qt1A21 R+TOyTEHp12WxFo8QlX0o/F1wMrluR4Nss5YXPCmpkpntlaXBg8n5tcPmq5Vb9kg u4IzYbfFiTQ=6X4Z -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Summary: The Migration Toolkit for Containers (MTC) 1.6.3 is now available. Description: The Migration Toolkit for Containers (MTC) enables you to migrate Kubernetes resources, persistent volume data, and internal container images between OpenShift Container Platform clusters, using the MTC web console or the Kubernetes API. Bugs fixed (https://bugzilla.redhat.com/): 2019088 - "MigrationController" CR displays syntax error when unquiescing applications 2021666 - Route name longer than 63 characters causes direct volume migration to fail 2021668 - "MigrationController" CR ignores the "cluster_subdomain" value for direct volume migration routes 2022017 - CVE-2021-3948 mig-controller: incorrect namespaces handling may lead to not authorized usage of Migration Toolkit for Containers (MTC) 2024966 - Manifests not used by Operator Lifecycle Manager must be removed from the MTC 1.6 Operator image 2027196 - "migration-controller" pod goes into "CrashLoopBackoff" state if an invalid registry route is entered on the "Clusters" page of the web console 2027382 - "Copy oc describe/oc logs" window does not close automatically after timeout 2028841 - "rsync-client" container fails during direct volume migration with "Address family not supported by protocol" error 2031793 - "migration-controller" pod goes into "CrashLoopBackOff" state if "MigPlan" CR contains an invalid "includedResources" resource 2039852 - "migration-controller" pod goes into "CrashLoopBackOff" state if "MigPlan" CR contains an invalid "destMigClusterRef" or "srcMigClusterRef" 5. Bugs fixed (https://bugzilla.redhat.com/): 1995656 - CVE-2021-36221 golang: net/http/httputil: panic due to racy read of persistConn after handler panic 5. Summary: Red Hat Advanced Cluster Management for Kubernetes 2.2.10 General Availability release images, which provide one or more container updates and bug fixes. Description: Red Hat Advanced Cluster Management for Kubernetes 2.2.10 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console — with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which provide security fixes, bug fixes and container upgrades. See the following Release Notes documentation, which will be updated shortly for this release, for additional details about this release: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.2/html/release_notes/ Security fixes: * CVE-2021-3795 semver-regex: inefficient regular expression complexity * CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 Related bugs: * RHACM 2.2.10 images (Bugzilla #2013652) 3. Bugs fixed (https://bugzilla.redhat.com/): 2004944 - CVE-2021-23440 nodejs-set-value: type confusion allows bypass of CVE-2019-10747 2006009 - CVE-2021-3795 semver-regex: inefficient regular expression complexity 2013652 - RHACM 2.2.10 images 5. Bugs fixed (https://bugzilla.redhat.com/): 1963232 - CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment 5. JIRA issues fixed (https://issues.jboss.org/): LOG-1168 - Disable hostname verification in syslog TLS settings LOG-1235 - Using HTTPS without a secret does not translate into the correct 'scheme' value in Fluentd LOG-1375 - ssl_ca_cert should be optional LOG-1378 - CLO should support sasl_plaintext(Password over http) LOG-1392 - In fluentd config, flush_interval can't be set with flush_mode=immediate LOG-1494 - Syslog output is serializing json incorrectly LOG-1555 - Fluentd logs emit transaction failed: error_class=NoMethodError while forwarding to external syslog server LOG-1575 - Rejected by Elasticsearch and unexpected json-parsing LOG-1735 - Regression introducing flush_at_shutdown LOG-1774 - The collector logs should be excluded in fluent.conf LOG-1776 - fluentd total_limit_size sets value beyond available space LOG-1822 - OpenShift Alerting Rules Style-Guide Compliance LOG-1859 - CLO Should not error and exit early on missing ca-bundle when cluster wide proxy is not enabled LOG-1862 - Unsupported kafka parameters when enabled Kafka SASL LOG-1903 - Fix the Display of ClusterLogging type in OLM LOG-1911 - CLF API changes to Opt-in to multiline error detection LOG-1918 - Alert `FluentdNodeDown` always firing LOG-1939 - Opt-in multiline detection breaks cloudwatch forwarding 6. Bugs fixed (https://bugzilla.redhat.com/): 1948761 - CVE-2021-23369 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with strict:true option 1956688 - CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

code execution

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2025-09-28T20:43:04.965000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE