Security fix for e_sqlcipher 3.39.2

ericsink / SQLitePCL.raw

A Portable Class Library (PCL) for low-level (raw) access to SQLite

Apache License 2.0

512 stars 106 forks source link

Security fix for e_sqlcipher 3.39.2 #540

Closed JimBretti closed 5 months ago

JimBretti commented 1 year ago

We are using e_sqlcipher, and having the same BlackDuck issue reported at https://github.com/ericsink/SQLitePCL.raw/issues/531

Are there plans to update e_sqlcipher to resolve issue CVE-2022-46908?

ericsink commented 1 year ago

Last I checked (a few weeks ago), SQLCipher did not yet have a release based on a newer version.

I'm unavailable for the next couple of weeks, so I'll review this issue again after that.

I do suggest you report this as a bug in BlackDuck. The reported CVE does not affect the SQLite library itself, so it is not present in e_sqlite3 or e_sqlcipher.

JimBretti commented 1 year ago

Thanks Eric, I did report an issue with BlackDuck

ericsink commented 1 year ago

See sqlcipher/sqlcipher#464

JimBretti commented 5 months ago

Hello Eric, a new vulnerability, CVE-2023-7104 was found in SQLite SQLite3 up to 3.43.0 and classified as critical

Do you know if sqlcipher will be updated to sqlite 3.44?

ericsink commented 5 months ago

Do you know if sqlcipher will be updated to sqlite 3.44?

No, I don't. I suggest asking the sqlcipher developers.