Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency sqlite3 to "~> 1.5", ">= 1.5.1" [SECURITY] - autoclosed #25

Closed
wants to merge 1 commit into from
Closed

Update dependency sqlite3 to "~> 1.5", ">= 1.5.1" [SECURITY] - autoclosed #25

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 6, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
sqlite3 "~> 1.4" -> "~> 1.5", ">= 1.5.1" age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-mgvv-5mxp-xq67

Summary

The rubygem sqlite3 v1.5.1 upgrades the packaged version of libsqlite from v3.39.3 to v3.39.4.

libsqlite v3.39.4 addresses a vulnerability described as follows in the release notification:

Version 3.39.4 is a minimal patch against the prior release that addresses issues found since the
prior release. In particular, a potential vulnerability in the FTS3 extension has been fixed, so
this should be considered a security update.

In order to exploit the vulnerability, an attacker must have full SQL access and must be able to
construct a corrupt database with over 2GB of FTS3 content. The problem arises from a 32-bit
signed integer overflow.

This vulnerability has not been assigned a CVE and does not have a severity declared.

Please note that this advisory only applies to the sqlite3 gem v1.5.0, and only if the packaged libsqlite is being used. If you've overridden defaults at installation time to use system libraries instead of packaged libraries, you should instead pay attention to your distro's libsqlite release announcements.

Mitigation

Upgrade to the rubygem sqlite3 v1.5.1 or later.

Users who are unable to upgrade the sqlite3 gem may also choose a more complicated mitigation: compile and link sqlite3 against external libsqlite >= 3.39.4 which will also address these same issues.

References

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from Clivern as a code owner August 6, 2024 10:51
@renovate renovate bot changed the title Update dependency sqlite3 to "~> 1.5", ">= 1.5.1" [SECURITY] Update dependency sqlite3 to "~> 1.5", ">= 1.5.1" [SECURITY] - autoclosed Oct 9, 2024
@renovate renovate bot closed this Oct 9, 2024
@renovate renovate bot deleted the renovate/rubygems-sqlite3-vulnerability branch October 9, 2024 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Clivern Clivern Awaiting requested review from Clivern Clivern is a code owner

Assignees
No one assigned
Labels
🚧 Dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants