-
Hello, My version of SQLite is: $ pacman -Q sqlite
sqlite 3.46.0-1 However, if I run this in SQLpage (version 0.23.0): SELECT 'debug' AS component, sqlite_version(); I get: {"component":"debug","sqlite_version()":"3.45.0"} I understand that the SQLpage binary contains its own SQLite binary embedded into it, which explains the difference in versions between what's installed on my system and what's showing up on a web page produced with SQLpage. That said, is there a reason why SQLpage doesn't update its embedded SQLite along with the SQLite project? For information, SQLite 3.46.0 was released on 23 May 2024 whereas SQLpage 0.23.0 (most recent version when I am writing these lines) is dated 9 June 2024 in commit How long does it usually take for SQLpage to catch up with upstream SQLite? What about if a vulnerability is discovered in SQLite? The risk is to end up using a new SQLite functionality that will not be present in SQLpage's SQLite or, worse, running an insecure version. |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
Hi @lyderic ! About security: I can recommend this good and detailed overview of security vulnerabilities in SQLite: https://www.sqlite.org/cves.html |
Beta Was this translation helpful? Give feedback.
-
Thanks a lot for this detailed answer.
L.
…On Thu, 20 Jun 2024, 12:51 Ophir LOJKINE, ***@***.***> wrote:
Hi @lyderic <https://github.com/lyderic> !
Yes, we are dependent on the rust SQLite library we use, and can be a few
versions behind on the latest version from upstream.
About security: I can recommend this good and detailed overview of
security vulnerabilities in SQLite: https://www.sqlite.org/cves.html
In short: we could run a 10 year old SQLite, and there still wouldn't be
any vulnerability reachable by your application users (as opposed to
vulnerabilities that you could voluntarily trigger yourself by writing
malicious SQL). Of course we cannot promise that it will never happen in
the future (in which case we would make an emergency release), but I think
sqlite's track record speaks for itself.
—
Reply to this email directly, view it on GitHub
<#434 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGTK5JH6LHNOU65TRLJZYLZIKX3XAVCNFSM6AAAAABJTSD6V6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQMRXGU4DG>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
I opened a ticket upstream: rusqlite/rusqlite#1513 |
Beta Was this translation helpful? Give feedback.
-
That's great. Thanks!
…On Thu, 20 Jun 2024, 20:07 Ophir LOJKINE, ***@***.***> wrote:
I opened a ticket upstream: rusqlite/rusqlite#1513
<rusqlite/rusqlite#1513>
—
Reply to this email directly, view it on GitHub
<#434 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGTK5NNKJKHCUDRWI6SB63ZIMK7PAVCNFSM6AAAAABJTSD6V6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQMZSGAYTE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
Just merged the latest sqlite :) |
Beta Was this translation helpful? Give feedback.
-
You rock ;-)
…On Sat, 22 Jun 2024 at 11:54, Ophir LOJKINE ***@***.***> wrote:
Just merged the latest sqlite :)
—
Reply to this email directly, view it on GitHub
<#434 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGTK5MLTNNQGC7BOLJYKSTZIVCCBAVCNFSM6AAAAABJTSD6V6VHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TQNBWGA4DM>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
I opened a ticket upstream: rusqlite/rusqlite#1513