Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQLite binaries should be upgraded to latest patched sqlite 3.32.1, due critical and high vulnerabilities #1340

Closed
aberezovski opened this issue Jun 2, 2020 · 5 comments

Comments

@aberezovski
Copy link

aberezovski commented Jun 2, 2020

Hi Mapbox team,

Recently our company internal docker image scanner reported a bunch of critical and high vulnerabilities related to the sqlite binaries version 3.31.1 which is used by the sqlite3 npm package version 4.2.0.

The list of vulnerabilities is:

Is there any planned activity to perform the upgrade of the latest sqlite distribution version 3.32.1 from 2020-05-25?

Looking forward your soon feedback.

Thank you in advance.

bobbywang000 added a commit to bobbywang000/nemosyne that referenced this issue Jun 26, 2020
SQLite has a default maximum number of variables when using IN queries. This causes SQLite to fail when too many entries match the initial sql query. See https://www.sqlite.org/limits.html#max_variable_number for more information.

Currently, sqlite3 version 4.2.0 uses sqlite binary 3.24.0, which has `SQLITE_MAXIMUM_VARIABLE_NUMBER = 999`. Upgrading to sqlite >= 3.32 would allow for that maximum number to be 32766, but that hasn't been done yet. Track progress of that upgrade in TryGhost/node-sqlite3#1340.
bobbywang000 added a commit to bobbywang000/nemosyne that referenced this issue Jun 26, 2020
SQLite has a default maximum number of variables when using IN queries. This causes SQLite to fail when too many entries match the initial sql query. See https://www.sqlite.org/limits.html#max_variable_number for more information.

Currently, sqlite3 version 4.2.0 uses sqlite binary 3.24.0, which has `SQLITE_MAXIMUM_VARIABLE_NUMBER = 999`. Upgrading to sqlite >= 3.32 would allow for that maximum number to be 32766, but that hasn't been done yet. Track progress of that upgrade in TryGhost/node-sqlite3#1340.
@F7502
Copy link

F7502 commented Jul 1, 2020

Hey, I also have the same issue that I really need to get rid of these vulnerabilities. Is there any plan when to upgrade the sqlite version to some newer and less vulnerable one?

Ah, just saw #1341 and the comment that it will be release soon, thx :-)

@aberezovski
Copy link
Author

One more PR #1353 that points to the latest sqlite distribution 3.32.3

@ErisDS
Copy link
Member

ErisDS commented Jul 9, 2020

Updating to the latest 3.32 versions would also mean that by default the variable limit increases from 999 to 32766 which would be amazing.

https://www.sqlite.org/releaselog/3_32_0.html

@aberezovski
Copy link
Author

Hi @ErisDS ,
The PR #1351 was already merged. It contains the upgrade to SQLite 3.32.3.

The only missing part is to make the release 5.0.1. Hope that will not last ages.

@daniellockyer
Copy link
Member

This release was published so I'm going to close the issue 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants