ID

VAR-202005-0223

CVE

CVE-2020-13631

TITLE

Red Hat Security Advisory 2021-2021-01

DESCRIPTION

SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. SQLite is an open source embedded relational database management system based on C language developed by American D.Richard Hipp software developer. The system has the characteristics of independence, isolation and cross-platform. A security vulnerability exists in SQLite versions prior to 3.32.0. An attacker could exploit this vulnerability to rename the virtual form to the name of one of the shadow forms. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: mingw packages security and bug fix update Advisory ID: RHSA-2021:1968-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2021:1968 Issue date: 2021-05-18 CVE Names: CVE-2019-16168 CVE-2020-13434 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 ==================================================================== 1. Summary: An update for mingw-binutils, mingw-bzip2, mingw-filesystem, and mingw-sqlite is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: MinGW is a free and open source software development environment to create Microsoft Windows applications. The following packages have been upgraded to a later upstream version: mingw-sqlite (3.26.0.0). Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat CodeReady Linux Builder (v. 8): Source: mingw-binutils-2.30-3.el8.src.rpm mingw-bzip2-1.0.6-14.el8.src.rpm mingw-filesystem-104-2.el8.src.rpm mingw-sqlite-3.26.0.0-1.el8.src.rpm aarch64: mingw-binutils-debuginfo-2.30-3.el8.aarch64.rpm mingw-binutils-debugsource-2.30-3.el8.aarch64.rpm mingw-binutils-generic-2.30-3.el8.aarch64.rpm mingw-binutils-generic-debuginfo-2.30-3.el8.aarch64.rpm mingw32-binutils-2.30-3.el8.aarch64.rpm mingw32-binutils-debuginfo-2.30-3.el8.aarch64.rpm mingw64-binutils-2.30-3.el8.aarch64.rpm mingw64-binutils-debuginfo-2.30-3.el8.aarch64.rpm noarch: mingw-filesystem-base-104-2.el8.noarch.rpm mingw32-bzip2-1.0.6-14.el8.noarch.rpm mingw32-bzip2-debuginfo-1.0.6-14.el8.noarch.rpm mingw32-bzip2-static-1.0.6-14.el8.noarch.rpm mingw32-filesystem-104-2.el8.noarch.rpm mingw32-sqlite-3.26.0.0-1.el8.noarch.rpm mingw32-sqlite-debuginfo-3.26.0.0-1.el8.noarch.rpm mingw32-sqlite-static-3.26.0.0-1.el8.noarch.rpm mingw64-bzip2-1.0.6-14.el8.noarch.rpm mingw64-bzip2-debuginfo-1.0.6-14.el8.noarch.rpm mingw64-bzip2-static-1.0.6-14.el8.noarch.rpm mingw64-filesystem-104-2.el8.noarch.rpm mingw64-sqlite-3.26.0.0-1.el8.noarch.rpm mingw64-sqlite-debuginfo-3.26.0.0-1.el8.noarch.rpm mingw64-sqlite-static-3.26.0.0-1.el8.noarch.rpm ppc64le: mingw-binutils-debuginfo-2.30-3.el8.ppc64le.rpm mingw-binutils-debugsource-2.30-3.el8.ppc64le.rpm mingw-binutils-generic-2.30-3.el8.ppc64le.rpm mingw-binutils-generic-debuginfo-2.30-3.el8.ppc64le.rpm mingw32-binutils-2.30-3.el8.ppc64le.rpm mingw32-binutils-debuginfo-2.30-3.el8.ppc64le.rpm mingw64-binutils-2.30-3.el8.ppc64le.rpm mingw64-binutils-debuginfo-2.30-3.el8.ppc64le.rpm s390x: mingw-binutils-debuginfo-2.30-3.el8.s390x.rpm mingw-binutils-debugsource-2.30-3.el8.s390x.rpm mingw-binutils-generic-2.30-3.el8.s390x.rpm mingw-binutils-generic-debuginfo-2.30-3.el8.s390x.rpm mingw32-binutils-2.30-3.el8.s390x.rpm mingw32-binutils-debuginfo-2.30-3.el8.s390x.rpm mingw64-binutils-2.30-3.el8.s390x.rpm mingw64-binutils-debuginfo-2.30-3.el8.s390x.rpm x86_64: mingw-binutils-debuginfo-2.30-3.el8.x86_64.rpm mingw-binutils-debugsource-2.30-3.el8.x86_64.rpm mingw-binutils-generic-2.30-3.el8.x86_64.rpm mingw-binutils-generic-debuginfo-2.30-3.el8.x86_64.rpm mingw32-binutils-2.30-3.el8.x86_64.rpm mingw32-binutils-debuginfo-2.30-3.el8.x86_64.rpm mingw64-binutils-2.30-3.el8.x86_64.rpm mingw64-binutils-debuginfo-2.30-3.el8.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYKPxbdzjgjWX9erEAQgodQ/+NmIb/oDuS6uoA9WfD36xVTffsjTsgfFC EI/5+/9lv7i8AyOig/lyHF8j69RX0W0eNR/Vl+DMT/H6XuqusJ5amOGD5LuP0TEp Dep644tOoK5rd0PD1RT/fY9YTyzzaCkhsHYtV3FYtbh4P82FSGuOo5Tdw597GwHK GIp+T0pIzZGgvlO0OYObEuC75bfZ2xR54zWAtZ2YZyhc7jSqwcSDB5VLaR9Vqa5A /cgFid2haP8UFokSzYBtJwnImIrFI0SP6Q3gu0NjqfU2+E/pVyEmsdCHUfJjU5cy UaBnM0qKDWdLqeUJSCFeaDaJ8i45qPZYKz6qXBezY+ko42ElBXlAW/pA1GCbbc8K yXFziu/YZnOB+FqGa1UFHMJLDIhI9rG9BITjDfD3UAzgA6YUF5eBy2rP5bqrq86+ puSPGzoCZLGAXOd4RQTK6NOIUOnT+jdNXyzXlkG/leoWjuMHva+3415MDl5SWuel wOXXGphzanYRTkHim8U6yC1PQxnh8J6pbDZyYXpJY8hnrFFMw5VGhMBpoac/pdkk 0jNE1bd06+9gtkxBV2T2VHrHOFoSzi00hubq7DszPPxUfjpHelud6CS3/HSU7iRj CXTqVshZ9lEguvbmb6flsp01/jDUlbPA18NBMVX2WEgZp1duHpS7Mn5FZM+PHwfK 1mKR5jfd/6Q=+R6x -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . Bug Fix(es): * Configuring the system with non-RT kernel will hang the system (BZ#1923220) 3. Bugs fixed (https://bugzilla.redhat.com/): 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 5. JIRA issues fixed (https://issues.jboss.org/): CNF-802 - Infrastructure-provided enablement/disablement of interrupt processing for guaranteed pod CPUs CNF-854 - Performance tests in CNF Tests 6. ========================================================================== Ubuntu Security Notice USN-4394-1 June 10, 2020 sqlite3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 19.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in SQLite. Software Description: - sqlite3: C library that implements an SQL database engine Details: It was discovered that SQLite incorrectly handled certain corruped schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain SELECT statements. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19603) It was discovered that SQLite incorrectly handled certain self-referential views. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19645) Henry Liu discovered that SQLite incorrectly handled certain malformed window-function queries. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-11655) It was discovered that SQLite incorrectly handled certain string operations. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13434) It was discovered that SQLite incorrectly handled certain expressions. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13435) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13631) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13632) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libsqlite3-0 3.31.1-4ubuntu0.1 sqlite3 3.31.1-4ubuntu0.1 Ubuntu 19.10: libsqlite3-0 3.29.0-2ubuntu0.3 sqlite3 3.29.0-2ubuntu0.3 Ubuntu 18.04 LTS: libsqlite3-0 3.22.0-1ubuntu0.4 sqlite3 3.22.0-1ubuntu0.4 Ubuntu 16.04 LTS: libsqlite3-0 3.11.0-1ubuntu1.5 sqlite3 3.11.0-1ubuntu1.5 In general, a standard system update will make all the necessary changes. References: https://usn.ubuntu.com/4394-1 CVE-2018-8740, CVE-2019-19603, CVE-2019-19645, CVE-2020-11655, CVE-2020-13434, CVE-2020-13435, CVE-2020-13630, CVE-2020-13631, CVE-2020-13632 Package Information: https://launchpad.net/ubuntu/+source/sqlite3/3.31.1-4ubuntu0.1 https://launchpad.net/ubuntu/+source/sqlite3/3.29.0-2ubuntu0.3 https://launchpad.net/ubuntu/+source/sqlite3/3.22.0-1ubuntu0.4 https://launchpad.net/ubuntu/+source/sqlite3/3.11.0-1ubuntu1.5 . Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. See the following advisory for the container images for this release: https://access.redhat.com/errata/RHEA-2020:5633 All OpenShift Container Platform users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift Console or the CLI oc command. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -between-minor.html#understanding-upgrade-channels_updating-cluster-between - -minor. Solution: For OpenShift Container Platform 4.7 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.7/release_notes/ocp-4-7-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.7/updating/updating-cluster - -cli.html. Bugs fixed (https://bugzilla.redhat.com/): 1823765 - nfd-workers crash under an ipv6 environment 1838802 - mysql8 connector from operatorhub does not work with metering operator 1838845 - Metering operator can't connect to postgres DB from Operator Hub 1841883 - namespace-persistentvolumeclaim-usage query returns unexpected values 1853652 - CVE-2020-14040 golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash 1868294 - NFD operator does not allow customisation of nfd-worker.conf 1882310 - CVE-2020-24750 jackson-databind: Serialization gadgets in com.pastdev.httpcomponents.configuration.JndiConfiguration 1890672 - NFD is missing a build flag to build correctly 1890741 - path to the CA trust bundle ConfigMap is broken in report operator 1897346 - NFD worker pods not scheduler on a 3 node master/worker cluster 1898373 - Metering operator failing upgrade from 4.4 to 4.6 channel 1900125 - FIPS error while generating RSA private key for CA 1906129 - OCP 4.7: Node Feature Discovery (NFD) Operator in CrashLoopBackOff when deployed from OperatorHub 1908492 - OCP 4.7: Node Feature Discovery (NFD) Operator Custom Resource Definition file in olm-catalog is not in sync with the one in manifests dir leading to failed deployment from OperatorHub 1913837 - The CI and ART 4.7 metering images are not mirrored 1914869 - OCP 4.7 NFD - Operand configuration options for NodeFeatureDiscovery are empty, no supported image for ppc64le 1916010 - olm skip range is set to the wrong range 1921650 - CVE-2021-3121 gogo/protobuf: plugin/unmarshal/unmarshal.go lacks certain index validation 1923998 - NFD Operator is failing to update and remains in Replacing state 5. Solution: See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.6/html/serverless_applications/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1874857 - CVE-2020-24553 golang: default Content-Type setting in net/http/cgi and net/http/fcgi could cause XSS 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1897643 - CVE-2020-28366 golang: malicious symbol names can lead to code execution at build time 1897646 - CVE-2020-28367 golang: improper validation of cgo flags can lead to code execution at build time 1906381 - Release of OpenShift Serverless Serving 1.12.0 1906382 - Release of OpenShift Serverless Eventing 1.12.0 5

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

TYPE

overflow

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-03-24T21:04:18.570000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE