[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Tuesday, 13 August 2019 15:18:49 BST Tom via list wrote: > > As I understand it though most access to SQLite is via libraries - the > python3 one has not been updated so I'd imagine its still statically > linked to the old version until you re-install it. On Debian CVE-2019-8457 , which is the SQL issue discussed in the Checkpoint blog, is back ported to libsqlite3-0 which is dynamically linked with most apps. It may vary with distro, my box patched itself 2019-06-14. That said I don't think that is really the key take away from the article, it is basically saying loading untrusted SQLite database files may allow code execution, and running arbitrary SQL commands may allow code execution, and I very much doubt patching any one hole will fix this state of affairs. Complex applications can be subverted by malicious input, and this won't change any time soon, although we can probably do a lot better than we are. Having read around SQLite a bit, I'm starting to think key-value stores like gdbm have a lot to recommend them. Choose the dependencies which are as simple as possible but not simpler, perhaps. -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq