security issue - sqlite vulnerability

David Harris
David Harris Member Posts: 6 ✭✭
in Proclaim Forum

I see that proclaim is using the sqlite database components. Can you confirm what version is being distributed? SQLite has released updated version 3.26.0 of its software to address the issue. Are there plans to update to the latest version?

https://thehackernews.com/2018/12/sqlite-vulnerability.html

--DH

Comments

  • DominicM
    DominicM Member Posts: 2,995 ✭✭✭

    3.12, but its not the stock dll

    Whilst security is always a concern, and FL are good at fixing issues like this, however I believe risk to us is low, and we should be so worthy that our sermons were indeed targets for hackers .

    Never Deprive Anyone of Hope.. It Might Be ALL They Have

  • Bradley Grainger (Logos)
    Bradley Grainger (Logos) Administrator, Logos Employee Posts: 12,192

    The lead author of SQLite has this to say about it https://twitter.com/DRichardHipp/status/1073779742552350720 :

    Reports of an RCE vulnerability in SQLite are greatly exaggerated. Some clever gray-hats found a way to get RCE using maliciously crafted SQL. So, IF you allow random internet users to run arbitrary SQL on your system, you should upgrade. Otherwise, you are not at risk.

    Proclaim does not use SQLite in such a way that it permits execution of arbitrary SQL, so it is not vulnerable to the attack (as we understand it).

    We generally do update third-party libraries on a regular basis to ensure that we have the latest bug fixes so SQLite will be updated at some point in the future; however, we have decided that it does not need to be done urgently.

Categories