https://www.zdnet.com/article/sqlite-bu ... -browsers/
Article about an SQLite bug. Fix shipped in 3.26.0 on Dec 1st. I don't see any mention of SQLite in the 28.2.2 release notes, so a patch will probably need to be applied for 28.2.3?
SQLite security bug v3.25 (and lower?)
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.
This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.
Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
-
- Astronaut
- Posts: 652
- Joined: 2015-07-30, 20:29
- Location: Vaughan, ON, Canada
SQLite security bug v3.25 (and lower?)
There's a right way
There's a wrong way
And then there's my way
There's a wrong way
And then there's my way
Re: SQLite security bug v3.25 (and lower?)
Pale Moon does not support Web SQL API, so it is not affected.
-
- Board Warrior
- Posts: 1651
- Joined: 2018-06-08, 17:02
Re: SQLite security bug v3.25 (and lower?)
ZDnet also talks about "local attacks" (however unlikely).
And PM uses what an SQLite .js (.jsm) library kind of thing.
FF regularly updates SQLite, Bug 1511646 (SQLIte3.26.0) Upgrade to SQLite 3.26.0 & I'd think PM would follow suite too, as a matter of course (though seemingly not of great importance at this time, even if it happens to be "dated").
And PM uses what an SQLite .js (.jsm) library kind of thing.
FF regularly updates SQLite, Bug 1511646 (SQLIte3.26.0) Upgrade to SQLite 3.26.0 & I'd think PM would follow suite too, as a matter of course (though seemingly not of great importance at this time, even if it happens to be "dated").
Last edited by therube on 2018-12-17, 18:17, edited 1 time in total.
-
- Moon Magic practitioner
- Posts: 2194
- Joined: 2018-05-05, 13:29
Re: SQLite security bug v3.25 (and lower?)
Sqlite.jsm is available only to extensions though, so the only way to exploit it would be to create a malicious extension.therube wrote:ZDnet also talks about "local attacks" (however unlikely).
And PM uses what an SQLite .js (.jsm) library kind of thing.
FF regularly updates SQLite, Bug 1511646 (SQLIte3.26.0) Upgrade to SQLite 3.26.0 & I'd think PM would follow suite too, as a matter of course (though seemingly not of great importance at this time, even if it happens to be "dated").
SQLite is directly accessible only through extensions on Pale Moon in general, so until someone manages to distribute said malicious extension, it's as JustOff said.