SQLite binaries should be upgraded to latest patched sqlite 3.32.1, due critical and high vulnerabilities

[aberezovski]

Hi Mapbox team,

Recently our company internal docker image scanner reported a bunch of critical and high vulnerabilities related to the sqlite binaries version 3.31.1 which is used by the sqlite3 npm package version 4.2.0.

The list of vulnerabilities is:

• https://nvd.nist.gov/vuln/detail/CVE-2020-11656 - CRITICAL
• https://nvd.nist.gov/vuln/detail/CVE-2020-13630 - CRITICAL
• https://nvd.nist.gov/vuln/detail/CVE-2020-13631 - HIGH
• https://nvd.nist.gov/vuln/detail/CVE-2020-13632 - HIGH
• https://nvd.nist.gov/vuln/detail/CVE-2020-13434 - HIGH
• https://nvd.nist.gov/vuln/detail/CVE-2020-13435 - HIGH
• https://nvd.nist.gov/vuln/detail/CVE-2020-11655 - HIGH
• https://nvd.nist.gov/vuln/detail/CVE-2020-9327 - HIGH

Is there any planned activity to perform the upgrade of the latest sqlite distribution version 3.32.1 from 2020-05-25?

Looking forward your soon feedback.

Thank you in advance.

[F7502]

Hey, I also have the same issue that I really need to get rid of these vulnerabilities. Is there any plan when to upgrade the sqlite version to some newer and less vulnerable one?

Ah, just saw #1341 and the comment that it will be release soon, thx :-)

[aberezovski]

One more PR #1353 that points to the latest sqlite distribution 3.32.3

[ErisDS]

Updating to the latest 3.32 versions would also mean that by default the variable limit increases from 999 to 32766 which would be amazing.

https://www.sqlite.org/releaselog/3_32_0.html

[aberezovski]

Hi @ErisDS ,
The PR #1351 was already merged. It contains the upgrade to SQLite 3.32.3.

The only missing part is to make the release 5.0.1. Hope that will not last ages.

[daniellockyer]

This release was published so I'm going to close the issue 🙂