ID

VAR-202005-0223

CVE

CVE-2020-13631

TITLE

Sqlite Security hole

DESCRIPTION

SQLite before 3.32.0 allows a virtual table to be renamed to the name of one of its shadow tables, related to alter.c and build.c. SQLite is an open source embedded relational database management system based on C language developed by American D.Richard Hipp software developer. The system has the characteristics of independence, isolation and cross-platform. A security vulnerability exists in SQLite versions prior to 3.32.0. An attacker could exploit this vulnerability to rename the virtual form to the name of one of the shadow forms. Summary: Openshift Serverless 1.10.2 is now available. Solution: See the documentation at: https://access.redhat.com/documentation/en-us/openshift_container_platform/ 4.5/html/serverless_applications/index 4. Bugs fixed (https://bugzilla.redhat.com/): 1918750 - CVE-2021-3114 golang: crypto/elliptic: incorrect operations on the P-224 curve 1918761 - CVE-2021-3115 golang: cmd/go: packages using cgo can cause arbitrary code execution at build time 5. Solution: Download the release images via: quay.io/redhat/quay:v3.3.3 quay.io/redhat/clair-jwt:v3.3.3 quay.io/redhat/quay-builder:v3.3.3 quay.io/redhat/clair:v3.3.3 4. Bugs fixed (https://bugzilla.redhat.com/): 1905758 - CVE-2020-27831 quay: email notifications authorization bypass 1905784 - CVE-2020-27832 quay: persistent XSS in repository notification display 5. JIRA issues fixed (https://issues.jboss.org/): PROJQUAY-1124 - NVD feed is broken for latest Clair v2 version 6. Bug Fix(es): * Configuring the system with non-RT kernel will hang the system (BZ#1923220) 3. Bugs fixed (https://bugzilla.redhat.com/): 1902111 - CVE-2020-27813 golang-github-gorilla-websocket: integer overflow leads to denial of service 5. JIRA issues fixed (https://issues.jboss.org/): CNF-802 - Infrastructure-provided enablement/disablement of interrupt processing for guaranteed pod CPUs CNF-854 - Performance tests in CNF Tests 6. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update Advisory ID: RHSA-2021:0436-01 Product: Red Hat OpenShift Enterprise Advisory URL: https://access.redhat.com/errata/RHSA-2021:0436 Issue date: 2021-02-16 CVE Names: CVE-2018-20843 CVE-2019-1551 CVE-2019-5018 CVE-2019-8625 CVE-2019-8710 CVE-2019-8720 CVE-2019-8743 CVE-2019-8764 CVE-2019-8766 CVE-2019-8769 CVE-2019-8771 CVE-2019-8782 CVE-2019-8783 CVE-2019-8808 CVE-2019-8811 CVE-2019-8812 CVE-2019-8813 CVE-2019-8814 CVE-2019-8815 CVE-2019-8816 CVE-2019-8819 CVE-2019-8820 CVE-2019-8823 CVE-2019-8835 CVE-2019-8844 CVE-2019-8846 CVE-2019-11068 CVE-2019-13050 CVE-2019-13627 CVE-2019-14889 CVE-2019-15165 CVE-2019-15903 CVE-2019-16168 CVE-2019-16935 CVE-2019-18197 CVE-2019-19221 CVE-2019-19906 CVE-2019-19956 CVE-2019-20218 CVE-2019-20386 CVE-2019-20387 CVE-2019-20388 CVE-2019-20454 CVE-2019-20807 CVE-2019-20907 CVE-2019-20916 CVE-2020-1730 CVE-2020-1751 CVE-2020-1752 CVE-2020-1971 CVE-2020-3862 CVE-2020-3864 CVE-2020-3865 CVE-2020-3867 CVE-2020-3868 CVE-2020-3885 CVE-2020-3894 CVE-2020-3895 CVE-2020-3897 CVE-2020-3899 CVE-2020-3900 CVE-2020-3901 CVE-2020-3902 CVE-2020-6405 CVE-2020-7595 CVE-2020-8177 CVE-2020-8492 CVE-2020-9327 CVE-2020-9802 CVE-2020-9803 CVE-2020-9805 CVE-2020-9806 CVE-2020-9807 CVE-2020-9843 CVE-2020-9850 CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 CVE-2020-10018 CVE-2020-10029 CVE-2020-11793 CVE-2020-13630 CVE-2020-13631 CVE-2020-13632 CVE-2020-14382 CVE-2020-14391 CVE-2020-14422 CVE-2020-15503 CVE-2020-24659 CVE-2020-28362 ==================================================================== 1. Summary: An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container is now available for Red Hat OpenShift Container Platform 4.6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Description: Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. The compliance-operator image updates are now available for OpenShift Container Platform 4.6. This advisory provides the following updates among others: * Enhances profile parsing time. * Fixes excessive resource consumption from the Operator. * Fixes default content image. * Fixes outdated remediation handling. Security Fix(es): * golang: math/big: panic during recursive division of very large numbers (CVE-2020-28362) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 3. Solution: For OpenShift Container Platform 4.6 see the following documentation, which will be updated shortly for this release, for important instructions on how to upgrade your cluster and fully apply this asynchronous errata update: https://docs.openshift.com/container-platform/4.6/release_notes/ocp-4-6-rel ease-notes.html Details on how to access this content are available at https://docs.openshift.com/container-platform/4.6/updating/updating-cluster - -cli.html. 4. Bugs fixed (https://bugzilla.redhat.com/): 1897635 - CVE-2020-28362 golang: math/big: panic during recursive division of very large numbers 1918990 - ComplianceSuite scans use quay content image for initContainer 1919135 - [OCP v46] The autoApplyRemediation pauses the machineConfigPool if there is outdated complianceRemediation object present 1919846 - After remediation applied, the compliancecheckresults still reports Failed status for some rules 1920999 - Compliance operator is not displayed when disconnected mode is selected in the OpenShift Web-Console. 5. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2021 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYCvGHtzjgjWX9erEAQgbKw/9Had++A7098ddqffgX/DicKszQfZFT6Qm iN2FfA9in0X4MvScGqGchX2hv7nqdoz+lS5+tHI52Bp6i5ZT9bAjBx/GrETirwBw y76qRaIr0a3I5rSirguZSs52IeGv+l00RCACfZgH/H1oFzNJY1pRjoOPy60/prP6 P/4l6u5CcRcTpxmEoU6XMyl+BGgk2/0FaWE8ZgXnnm7w/VSzvj5XymwLjE48wG3j iGGKCCwv/zvtP/ntG+MMUkKDUpFOxtLWp2PonZKsB0ZiK5Rm87izVVxDHmXhlirP Pgq/evTDV3SmXqjFN5K1e08cMdjpDvnjHDx0fLJrvhBlLTYczOnkLMmk72Emwsm+ xEj3q80MZ9EyMAZe33TO9kTpGRfeBUF1FenDE1k1foY6lBT2WqiH2pIypubH7X0j BIGAnJf5swl8EGbLQUIVIA1o69dR6Zz0kvdbfm/NVMUjbRyTyaZcP1chViVGrI2h 43RH51tfvwp7lMBqFyvhtbopvmnt3egIFenrQcg0tT4v6+eRiwz9HAfDXjeez/I6 qKJboYtU+hnEizNNOkbHPICUWD9pSFZewAV7kPIJeJ99JWzXABMUl6Ku3Ds9hojR 7MIu0W9WbzdfUSd1i53fcbPcRauXLu273xyWo402ZOQOWAHhVLA08J9YoGWYamIP hg9Ld3UR71Q=5olk -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2020-11-13-4 Additional information for APPLE-SA-2020-09-16-2 tvOS 14.0 tvOS 14.0 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT211843. Assets Available for: Apple TV 4K and Apple TV HD Impact: An attacker may be able to misuse a trust relationship to download malicious content Description: A trust issue was addressed by removing a legacy API. CVE-2020-9979: CodeColorist of LightYear Security Lab of AntGroup Entry updated November 12, 2020 Audio Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9943: JunDong Xie of Ant Group Light-Year Security Lab Entry added November 12, 2020 Audio Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2020-9944: JunDong Xie of Ant Group Light-Year Security Lab Entry added November 12, 2020 CoreAudio Available for: Apple TV 4K and Apple TV HD Impact: Playing a malicious audio file may lead to arbitrary code execution Description: A buffer overflow issue was addressed with improved memory handling. CVE-2020-9954: Francis working with Trend Micro Zero Day Initiative, JunDong Xie of Ant Group Light-Year Security Lab Entry added November 12, 2020 CoreCapture Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A use after free issue was addressed with improved memory management. CVE-2020-9949: Proteas Entry added November 12, 2020 Disk Images Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9965: Proteas CVE-2020-9966: Proteas Entry added November 12, 2020 ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: An out-of-bounds read was addressed with improved input validation. CVE-2020-9961: Xingwei Lin of Ant Security Light-Year Lab Entry added November 12, 2020 ImageIO Available for: Apple TV 4K and Apple TV HD Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9876: Mickey Jin of Trend Micro Entry added November 12, 2020 Keyboard Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to leak sensitive user information Description: A logic issue was addressed with improved state management. CVE-2020-9976: Rias A. Sherzad of JAIDE GmbH in Hamburg, Germany libxml2 Available for: Apple TV 4K and Apple TV HD Impact: Processing a maliciously crafted file may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9981: found by OSS-Fuzz Entry added November 12, 2020 Sandbox Available for: Apple TV 4K and Apple TV HD Impact: A local user may be able to view senstive user information Description: An access issue was addressed with additional sandbox restrictions. CVE-2020-9969: Wojciech Reguła of SecuRing (wojciechregula.blog) Entry added November 12, 2020 Sandbox Available for: Apple TV 4K and Apple TV HD Impact: A malicious application may be able to access restricted files Description: A logic issue was addressed with improved restrictions. CVE-2020-9968: Adam Chester (@_xpn_) of TrustedSec Entry updated September 17, 2020 SQLite Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to cause a denial of service Description: This issue was addressed with improved checks. CVE-2020-13434 CVE-2020-13435 CVE-2020-9991 Entry added November 12, 2020 SQLite Available for: Apple TV 4K and Apple TV HD Impact: Multiple issues in SQLite Description: Multiple issues were addressed by updating SQLite to version 3.32.3. CVE-2020-15358 Entry added November 12, 2020 SQLite Available for: Apple TV 4K and Apple TV HD Impact: A maliciously crafted SQL query may lead to data corruption Description: This issue was addressed with improved checks. CVE-2020-13631 Entry added November 12, 2020 SQLite Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to leak memory Description: An information disclosure issue was addressed with improved state management. CVE-2020-9849 Entry added November 12, 2020 SQLite Available for: Apple TV 4K and Apple TV HD Impact: A remote attacker may be able to cause arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2020-13630 Entry added November 12, 2020 WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2020-9947: cc working with Trend Micro Zero Day Initiative CVE-2020-9950: cc working with Trend Micro Zero Day Initiative CVE-2020-9951: Marcin 'Icewall' Noga of Cisco Talos Entry added November 12, 2020 WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to code execution Description: An out-of-bounds write issue was addressed with improved bounds checking. CVE-2020-9983: zhunki Entry added November 12, 2020 WebKit Available for: Apple TV 4K and Apple TV HD Impact: Processing maliciously crafted web content may lead to a cross site scripting attack Description: An input validation issue was addressed with improved input validation. CVE-2020-9952: Ryan Pickren (ryanpickren.com) Wi-Fi Available for: Apple TV 4K and Apple TV HD Impact: An application may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved state management. CVE-2020-10013: Yu Wang of Didi Research America Entry added November 12, 2020 Additional recognition Audio We would like to acknowledge JunDong Xie and XingWei Lin of Ant- financial Light-Year Security Lab for their assistance. Entry added November 12, 2020 Bluetooth We would like to acknowledge Andy Davis of NCC Group and Dennis Heinze (@ttdennis) of TU Darmstadt, Secure Mobile Networking Lab for their assistance. Clang We would like to acknowledge Brandon Azad of Google Project Zero for their assistance. Entry added November 12, 2020 Core Location We would like to acknowledge Yiğit Can YILMAZ (@yilmazcanyigit) for their assistance. iAP We would like to acknowledge Andy Davis of NCC Group for their assistance. Kernel We would like to acknowledge Brandon Azad of Google Project Zero, Stephen Röttger of Google for their assistance. Entry updated November 12, 2020 Location Framework We would like to acknowledge Nicolas Brunner (linkedin.com/in/nicolas-brunner-651bb4128) for their assistance. Entry updated October 19, 2020 Safari We would like to acknowledge Ryan Pickren (ryanpickren.com) for their assistance. Entry added November 12, 2020 WebKit We would like to acknowledge Pawel Wylecial of REDTEAM.PL, Ryan Pickren (ryanpickren.com), Tsubasa FUJII (@reinforchu), Zhiyang Zeng(@Wester) of OPPO ZIWU Security Lab for their assistance. Entry added November 12, 2020 Installation note: Apple TV will periodically check for software updates. Alternatively, you may manually check for software updates by selecting "Settings -> System -> Software Update -> Update Software." To check the current version of software, select "Settings -> General -> About." This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbURczHs1TP07VIfuZcsbuWJ6jjAFAl+uyHoACgkQZcsbuWJ6 jjAwvw/+LOihEZ6W7DntL6nfl432KOZ58vNbauzTxYCo6HHsfu9d80SP7BF/BiIf 5rXBfJSyP8K0cQwmhli5xv4DH2VPSwP9GKZXDEG9OYQoHZJ3aie2bOUyPlH14WTZ JbL00oIdSXaPeovCNah6ahyI6apX63NpJr3FZkbNCDFsGdv7bjkoshRacGMkVSqG ytAoAsTpuaQEzHCWkvj0hdUasB/VmlnZQS5CzasGplL+1Y6pkwxjxEnN4BlV1/Zn r7ZWn2SOrf1UZoB/TAE39WdXY7pZ2WfDIyOzIqCioPc3ZlE7bRh7KKRMHwXNDp6Q XMeb6G818+XpHFKTV/NbLKpq0SjS8YEVhPmpS5e30HepgGbU3h/ufjqJQdnSWyj4 P33pI5Bfo5nFISyyJ+EsDczfWjpUn10F3xiOUb3IZcFuXrbkCFx4GrpnZ25eg1Z0 sXSTq9+lSc1lqDkyBVRNyWAKp5/lsLAmV+WaFugv9svXoxdDyYVA9waFiaxnGHPy E1hTrVKUFKZmUmiYxEo4b/LSdr8IdaLvsdlWb/4z+C9c1ei/U+yMtOYU8U+JCsVP 4v5hVcnPvL7sFiKfBPW7LsvRq5z1L58l61AivGbPZRkRG4oObOtoWvec4ygQ6tbM Hmc8HATllbUSoeu0eTtnlYgIKdia14DQFclcbTdMBU37y0DrBJc= =CBpG -----END PGP SIGNATURE----- . ========================================================================== Ubuntu Security Notice USN-4394-1 June 10, 2020 sqlite3 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 20.04 LTS - Ubuntu 19.10 - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in SQLite. Software Description: - sqlite3: C library that implements an SQL database engine Details: It was discovered that SQLite incorrectly handled certain corruped schemas. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-8740) It was discovered that SQLite incorrectly handled certain SELECT statements. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19603) It was discovered that SQLite incorrectly handled certain self-referential views. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10. (CVE-2019-19645) Henry Liu discovered that SQLite incorrectly handled certain malformed window-function queries. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-11655) It was discovered that SQLite incorrectly handled certain string operations. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13434) It was discovered that SQLite incorrectly handled certain expressions. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13435) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. An attacker could possibly use this issue to cause a denial of service. This issue was only addressed in Ubuntu 19.10 and Ubuntu 20.04 LTS. (CVE-2020-13631) It was discovered that SQLite incorrectly handled certain fts3 queries. An attacker could use this issue to cause SQLite to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2020-13632) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 20.04 LTS: libsqlite3-0 3.31.1-4ubuntu0.1 sqlite3 3.31.1-4ubuntu0.1 Ubuntu 19.10: libsqlite3-0 3.29.0-2ubuntu0.3 sqlite3 3.29.0-2ubuntu0.3 Ubuntu 18.04 LTS: libsqlite3-0 3.22.0-1ubuntu0.4 sqlite3 3.22.0-1ubuntu0.4 Ubuntu 16.04 LTS: libsqlite3-0 3.11.0-1ubuntu1.5 sqlite3 3.11.0-1ubuntu1.5 In general, a standard system update will make all the necessary changes

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

local

TYPE

other

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Red Hat

SOURCES

LAST UPDATE DATE

2026-04-18T20:55:07.374000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE