security issue - sqlite vulnerability

Page 1 of 1 (3 items)
This post has 2 Replies | 1 Follower

Posts 6
David Harris | Forum Activity | Posted: Thu, Dec 20 2018 7:13 PM

I see that proclaim is using the sqlite database components. Can you confirm what version is being distributed? SQLite has released updated version 3.26.0 of its software to address the issue. Are there plans to update to the latest version?

https://thehackernews.com/2018/12/sqlite-vulnerability.html

--DH

Posts 2692
DominicM | Forum Activity | Replied: Thu, Dec 20 2018 10:25 PM

3.12, but its not the stock dll

Whilst security is always a concern, and FL are good at fixing issues like this, however I believe risk to us is low, and we should be so worthy that our sermons were indeed targets for hackers .

Never Deprive Anyone of Hope.. It Might Be ALL They Have

Posts 7983
LogosEmployee
Bradley Grainger (Faithlife) | Forum Activity | Replied: Thu, Dec 20 2018 11:07 PM

The lead author of SQLite has this to say about it https://twitter.com/DRichardHipp/status/1073779742552350720 :

Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.

Proclaim does not use SQLite in such a way that it permits execution of arbitrary SQL, so it is not vulnerable to the attack (as we understand it).

We generally do update third-party libraries on a regular basis to ensure that we have the latest bug fixes so SQLite will be updated at some point in the future; however, we have decided that it does not need to be done urgently.

Page 1 of 1 (3 items) | RSS