Re: Talos Security Advisory for Sqlite3 (TALOS-2019-0777)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: Talos Security Advisory for Sqlite3 (TALOS-2019-0777)

Richard Hipp-3
On 5/8/19, Regina Wilson (regiwils) <[hidden email]> wrote:
> Hello D. Richard Hipp,
>
> To date, we have not received a response from point of contact handling
> security issues.  Can you assist with the issues reported via the bug report
> site?

We don't do PGP here.  But you can send unencrypted email directly to
me.  Once contact is established, I can make arrangements for secure
delivery of secret content, if you really think that level of concern
is warranted.

>
>
> Regina Wilson
> Analyst.Business Operations
> [hidden email]<mailto:[hidden email]>
>
>
>
>
>
>
>
> On Feb 5, 2019, at 4:14 PM, Regina Wilson (regiwils)
> <[hidden email]<mailto:[hidden email]>> wrote:
>
>
> Hello,
>
> The Cisco Talos team found a security vulnerability impacting Sqlite3
> customers. As this is a sensitive security issue, this email is to request a
> PGP key for further communication. If a key is not received or is
> unavailable, an unencrypted report will be sent to this address in two
> business days. Please acknowledge receipt of this email so we can confirm we
> have the correct email address for reporting security issues.  We found this
> email address via your site
> https://www.sqlite.org/src/wiki?name=Bug+Reports.
>
>
> For further information about the Cisco Vendor Vulnerability Reporting and
> Disclosure Policy please refer to this document which also links to our
> public PGP key.
> https://tools.cisco.com/security/center/resources/vendor_vulnerability_policy.html
>
> Please CC [hidden email]<mailto:[hidden email]> on all correspondence
> related to this issue.
>
> Regina Wilson
> Analyst.Business Operations
> [hidden email]<mailto:[hidden email]>
>
>
>
>
> <image001.png>
>
>
>


--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Talos Security Advisory for Sqlite3 (TALOS-2019-0777)

Richard Hipp-3
On 5/8/19, Regina Wilson (regiwils) <[hidden email]> wrote:
>
> Here’s a copy of the report.


Thanks!  Is the "poc" file available for our inspection too?

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Talos Security Advisory for Sqlite3 (TALOS-2019-0777)

Richard Hipp-3
On 5/8/19, Richard Hipp <[hidden email]> wrote:
> On 5/8/19, Regina Wilson (regiwils) <[hidden email]> wrote:
>>
>> Here’s a copy of the report.
>
>
> Thanks!  Is the "poc" file available for our inspection too?

If you want to keep the "poc" encrypted, you can log in at
https://sqlite.org/secure/upload as user "talos" with password
"6diMu23YpNW" and upload the file to us that way.  If you do this,
please send us a separate email so that we will know to go retrieve
the file.

Security note: The password in the previous paragraph only permits
writing, not reading.  The only purpose of the password is to prevent
people from spamming us with extraneous uploads.  Knowledge of the
password does not enable an attacker to access the uploaded file. In
other words, the password is not a security mechanism - it is an
anti-spam mechanism.
--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Talos Security Advisory for Sqlite3 (TALOS-2019-0777)

Barry Smith
Dr. Hipp, you're sending your replies to the mailing list as well as your
intended recipient. Not sure if this is intended?

On Wed, 8 May 2019 at 08:02, Richard Hipp <[hidden email]> wrote:

> On 5/8/19, Richard Hipp <[hidden email]> wrote:
> > On 5/8/19, Regina Wilson (regiwils) <[hidden email]> wrote:
> >>
> >> Here’s a copy of the report.
> >
> >
> > Thanks!  Is the "poc" file available for our inspection too?
>
> If you want to keep the "poc" encrypted, you can log in at
> https://sqlite.org/secure/upload as user "talos" with password
> "6diMu23YpNW" and upload the file to us that way.  If you do this,
> please send us a separate email so that we will know to go retrieve
> the file.
>
> Security note: The password in the previous paragraph only permits
> writing, not reading.  The only purpose of the password is to prevent
> people from spamming us with extraneous uploads.  Knowledge of the
> password does not enable an attacker to access the uploaded file. In
> other words, the password is not a security mechanism - it is an
> anti-spam mechanism.
> --
> D. Richard Hipp
> [hidden email]
> _______________________________________________
> sqlite-users mailing list
> [hidden email]
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users