Path to this page:
Subject: CVS commit: pkgsrc/databases/ruby-sqlite3
From: Takahiro Kambe
Date: 2022-10-06 16:19:01
Message id: 20221006141901.9BACFFA90@cvs.NetBSD.org
Log Message:
databases/ruby-sqlite3: update to 1.5.2
1.5.2 (2022-10-01)
Packaging
This version correctly vendors the tarball for sqlite v3.39.4 in the vanilla
"ruby" platform gem package, so that users will not require network access
at installation.
v1.5.0 and v1.5.1 mistakenly packaged the tarball for sqlite v3.38.5 in the
vanilla "ruby" platform gem, resulting in downloading the intended tarball
over the network at installation time (or, if the network was not available,
failure to install). Note that the precompiled native gems were not
affected by this issue. [#352]
1.5.1 (2022-09-29)
Dependencies
* Vendored sqlite is updated to v3.39.4.
Security
The vendored version of sqlite, v3.39.4, should be considered to be a
security release. From the release notes:
Version 3.39.4 is a minimal patch against the prior release that
addresses issues found since the prior release. In particular, a
potential vulnerability in the FTS3 extension has been fixed, so
this should be considered a security update.
In order to exploit the vulnerability, an attacker must have full
SQL access and must be able to construct a corrupt database with
over 2GB of FTS3 content. The problem arises from a 32-bit signed
integer overflow.
For more information please see GHSA-mgvv-5mxp-xq67.
Files: