SQLite 3.30.1

[Filip01011010]

Currently used version of SQLite has a known vulnerability. Could you please upgrade SQLite to version above 3.30.1?

[ericsink]

Will do.

[aloknakate84]

Hi Eric, Any update on the SQlite 3.30.1?

[ericsink]

I can assure you that when there is an update, it will be visible here in this issue.

I haven't gotten this done yet. Soon.

[ericsink]

I assume you are talking about the so-called "Magellan 2.0" stuff from Tencent.

FWIW, the author of SQLite posted something on the sqlite-users mailing list yesterday giving his opinion about the urgency (or lack of same) on this issue.

Anyway, regardless of whether these vulnerabilities are urgent or not, as far as I can tell, 3.30.1 does not actually contain a patch for them.

[Filip01011010]

According to https://nvd.nist.gov/vuln/detail/CVE-2019-19646
criticality level is pretty high: "Base Score: 9.8 CRITICAL"

[ericsink]

I'm not interested in arguing about how critical this is or is not. The fact remains, there is AFAICT no SQLite release which contains a fix.

[Filip01011010]

No arguing here. I missed the fact that 3.30.1 was also affected

[bricelam]

I'm eager to use the following features:

• sqlite3_stmt_isexplain (Add sqlite3_stmt_isexplain function. #326)
• generated columns

[ericsink]

In progress at #340

[ericsink]

v2.0.3 has been pushed to nuget. Its e_sqlite3 bulds are at 3.31.1.

[tranb3r]

It seems like sqlcipher is still 4.2.0 (based on sqlite 3.28.0).
Are you planning to upgrade it to 4.3.0 (based on sqlite 3.30.1) ?

[ericsink]

Yes, probably.

(The e_sqlcipher builds are unofficial and unsupported, and I update them less frequently. I typically recommend that folks buy official builds from Zetetic. )

[tranb3r]

@ericsink
sqlcipher 4.4.0 (based on sqlite 3.31.0) was released a few months ago.
Are you planning an update ?