sqlite (used in sqlite-libs) version 3.26.0-r3 has 2 vulnerabilities

[rvillane]

jetty:alpine latest version (JETTY_VERSION=9.4.18.v20190429) is including sqlite (used in sqlite-libs) as a dependency, and this version has 2 security vulnerabilities causing docker images that use jetty:alpine as base image to be flagged by container registry vulnerability scans.

Both vulnerabilities have been fixed in sqlite 3.28.0-r0.

1. CVE-2019-8457

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-8457
• Severity: critical
• SQLite3 from 3.6.0 to and including 3.27.2 is vulnerable to heap out-of-bound read in the rtreenode() function when handling invalid rtree tables.
• fixed in 3.28.0-r0

2. CVE-2019-5018

• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5018
• Severity: high
• An exploitable use after free vulnerability exists in the window function functionality of Sqlite3 3.26.0. A specially crafted SQL command can cause a use after free vulnerability, potentially resulting in remote code execution. An attacker can send a malicious SQL command to trigger this vulnerability.
• fixed in 3.28.0-r0

Can sqlite 3.28.0-r0 be included to avoid these 2 vulnerabilities ?

thanks

[joakime]

This issue has been moved to the new Official Eclipse Jetty Docker repository.

See https://github.com/eclipse/jetty.docker/issues/9