search

ualbertalib / NEOSDiscovery

Blacklight instance for the NEOS library consortium retired December 22, 2022
https://catalogue.neoslibraries.ca
4 stars 2 forks source link

Bump sqlite3 from 1.5.0 to 1.5.1 #631

Closed dependabot[bot] closed 1 year ago

dependabot[bot] commented 1 year ago

Bumps sqlite3 from 1.5.0 to 1.5.1.

Release notes

Sourced from sqlite3's releases.

1.5.1 / 2022-09-29

Dependencies

  • Vendored sqlite is updated to v3.39.4.

Security

The vendored version of sqlite, v3.39.4, should be considered to be a security release. From the release notes:

Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update.

In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.

For more information please see GHSA-mgvv-5mxp-xq67.

sha256:

f9094440f8e561c5d37cf66a13c807f60ce5013d0a40ee5ee5942906b9cc77c4  sqlite3-1.5.1-aarch64-linux.gem
8ef2be3d373b4e4c4c3f7622b63403d1f7109fa5b9d922203ce29671f19d6b32  sqlite3-1.5.1-arm-linux.gem
aa38f01893530612dd1cb3083dc34fe3a22a7cb00393f9bdaa67c4498b228e06  sqlite3-1.5.1-arm64-darwin.gem
7940ee9080313fa44c9b33cd7c24c069f40f208b970234867239ef6b6d24db31  sqlite3-1.5.1-x64-mingw-ucrt.gem
1ee072798f8e10df1f34a8ee884eaad82a2d40b0cbbe5ebca2bcf937a9ca954c  sqlite3-1.5.1-x64-mingw32.gem
0e3807ad01aa6c77896d68658706b950328dd991e1dc8e9c56cafa69d64b4282  sqlite3-1.5.1-x86-linux.gem
319b1227e4983549f35997518dfa48df89239055e2460ec13277d84b2f3b200f  sqlite3-1.5.1-x86_64-darwin.gem
d983ba51eff37c3679963949f4132b32f528d0a0bc3df09150c8e1a0a88e0444  sqlite3-1.5.1-x86_64-linux.gem
9148b84e4810284fe18573fce214060011d3f7af3a46a3ebd65b066da8242fbc  sqlite3-1.5.1.gem
Changelog

Sourced from sqlite3's changelog.

1.5.1 / 2022-09-29

Dependencies

  • Vendored sqlite is updated to v3.39.4.

Security

The vendored version of sqlite, v3.39.4, should be considered to be a security release. From the release notes:

Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so this should be considered a security update.

In order to exploit the vulnerability, an attacker must have full SQL access and must be able to construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit signed integer overflow.

For more information please see GHSA-mgvv-5mxp-xq67.

Commits
  • 8ab3ecc version bump to 1.5.1
  • b026da1 Merge pull request #349 from sparklemotion/flavorjones-update-sqlite-3.39.4
  • 8ebb39d dep: update packaged sqlite3 to v3.39.4
  • 4bf6f66 doc: clarify how to avoid installing a native gem
  • See full diff in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 1 year ago

Superseded by #632.