Closed alameenshah closed 1 year ago
From a brief reading of the details, it looks like this vulnerability is confined to the CLI, which I don't include. It's not related to the core SQLite libary.
My favorite snippet from the sqlite forum thread at https://sqlite.org/forum/forumpost/07beac8056151b2f :
This is a very different sort of risk than is presented by exploitable malfunctions in the core SQLite library. Calling this one a "CVE" is yet another degradation of the CVE system's value.
That makes sense, Thank you for checking Eric.
At work though, this CVE got flagged as a blocker by the BlackDuck security scanner. Looking at my options: 1) In case you usually pick SQLite updates quite often, then may be I can wait? 2) To upgrade SQLitePCL.raw to use the new SQLite, can I just create a PR against https://github.com/ericsink/cb with the new amalgamated SQLite sources? Like this commit? Or is it more involved than that? Assuming I don’t break anything else, would you be able to review and consider accepting the PR?
I'll try to update the SQLite build soon, but I recommend not submitting the PR you described. The process involves much more than that, so the PR wouldn't make it happen any faster.
SQLitePCLRaw 2.1.4 is now available on nuget.org. The e_sqlite3 builds have been updated to 3.40.1. You may wish to think of this release as a workaround for the bug in BlackDuck. ;-)
SQLitePCLRaw 2.1.4 is now available on nuget.org. The e_sqlite3 builds have been updated to 3.40.1. You may wish to think of this release as a workaround for the bug in BlackDuck. ;-)
Awesome... Thank you Eric!
Hello... New vulnerability reported on SQLite versions through 3.40.0 - CVE-2022-46908.
Could we update to version 3.40.1, please...