Please create new release with native SQLite >= 3.32.1 to fix multiple CVE

Question

Please create new release with native SQLite >= 3.32.1 to fix multiple CVE

sseide opened this issue 5 years ago · 3 comments

As this jar file contains precompile libraries of sqlite it would be good to release a new version of the jdbc driver with updated native sqlite libraries.

The currently used version 3.31.1 is vulnerable to multiple different attacks ranging from medium up to critical as their respective CVE show:

https://nvd.nist.gov/vuln/detail/CVE-2020-11656 - Score 9.8 Critcal
https://nvd.nist.gov/vuln/detail/CVE-2020-13630 - Score 7.0 High
https://nvd.nist.gov/vuln/detail/CVE-2020-11655 - Score 7.5 High
https://nvd.nist.gov/vuln/detail/CVE-2020-9327 - Score 7.5 High
https://nvd.nist.gov/vuln/detail/CVE-2020-13632 - Score 5.5 Medium
https://nvd.nist.gov/vuln/detail/CVE-2020-13631 - Score 5.5 Medium
https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - Score 5.5 Medium
https://nvd.nist.gov/vuln/detail/CVE-2020-13434 - Score 5.5 Medium

Even if not all of them may be exploitable from jdbc side there are more than enough critical fixes inside the native parts to make an new release of the jdbc driver.

Thanks in advance,
Stefan Seide

Answer 1 · 2020-06-18T22:17:45.000Z

Thanks for the notice. Will check the latest SQLite version

Answer 2 · 2020-06-18T23:05:20.000Z

Released sqlite-jdbc-3.32.3

Answer 3 · 2020-06-19T10:00:37.000Z

Many Thanks for fast response!