-
-
Notifications
You must be signed in to change notification settings - Fork 30.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update SQLite to 3.28 in Windows and macOS installer builds #79541
Comments
Windows and macOS installers require SQLite, but they require different versions! Windows uses 3.21 or 3.14, but macOS uses 3.22. I'm talking about the following line in PCbuild\get_externals.bat: set libraries=%libraries% sqlite-3.21.0.0
SQLite[Windows]: 3.21.0.0
SQLite[Windows]: 3.14.2.0 Note: I wrote a script to get external dependencies: https://github.com/vstinner/misc/blob/master/cpython/external_versions.py |
First the sqlite branch should be updated in: Then a new tag should be created in this repository. I tried to update cpython-source-deps, but "git push" never completed. I will retry next week ;-) |
With the discovery of the SQLite "Magellan" bug, could the version be upgraded to 3.26 for all Python versions? As far as I know, the security case is restricted to where the user is allowing aribitrary SQL execution without arbitrary Python execution, but in that case I do believe remote code execution is possible. |
SQLite updates and changes for us almost always get stuck on someone being willing to verify that nothing has broken (and stand by their analysis). Without an active expert (I just nosied ghaering in case they are around), I'm not confident to make this change in any version prior to 3.8. |
We should look at doing this for the next set of maintenance updates. This doesn't appear to be critical enough to delay current releases unless someone can show how this exploit could be used in a typical Python application. |
sqlite-3.28.0 now available, with extended window functio support: EXCLUDE clause, GROUPS frame types, window chaining, and support for "<expr> PRECEDING" and "<expr> FOLLOWING" boundaries in RANGE frames. |
any hope to have a SQLite refresh in Python-3.8.0b1 for Windows/Mac ? It's generally the ideal / less annoying moment to do so. |
@Mariatta Wijaya, would you update SQLite? I want to do it myself, by following your patch in bpo-28791. |
any hope for beta2 ? |
Has anyone tried building with the newer SQLite and confirmed that the tests and any scenarios they use still work? We don't currently have a SQLite expert to do these kinds of things. |
on my test cases, sqlite_bro and baresql, db.py , it works without problems. |
I just pushed sources with tag sqlite-3.28.0.0, so now anybody should be able to submit a CPython PR for it. |
there will be a security fix in sqlite-3.30 around October 10th. https://nvd.nist.gov/vuln/detail/CVE-2019-16168#VulnChangeHistorySection |
Please file a new issue |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: