The main, redistributable library NHibernate.dll, has no dependencies on SQLite. It is up to anyone targeting this database to include whatever dependencies they require, and to ensure they have up-to-date ones.
The NHibernate test project does depend on SQLite. But it is not meant to be distributed and used by other software. It is only the test project for running the NHibernate tests suite. It tends to target rather old database providers. I do not think having our test project depending on vulnerable database providers is an issue, as it does run on clean VM instantiated for the sole purpose of running the tests. Le mardi 27 avril 2021 à 15:35:33 UTC+2, Zika development a écrit : > Hi everyone, > I searched through the group but didn't find any suitable conversation to > post my question, so I'm opening this one. In my company, we are > considering using NH, and we run the security analysis prior to integrating > it. > The analysis also searched through the third-party libraries used by the > NH, including the *SQLite.Interop.dll*. We discovered that > *SQLite.Interop.dll* is using an old version of SQLite (v 3.22.0), which > has multiple vulnerabilities reported (CVEs at the end of the message). > Can you please tell me if you are aware of these vulnerabilities? > Furthermore, did you run any analysis of their potential impact on the NH > itself? > Thank you in advance! > > CVE-2019-8457, CVE-2020-11656, CVE-2019-19646, CVE-2018-20506, > CVE-2018-20346, CVE-2020-11655, CVE-2018-20505, CVE-2018-8740, > CVE-2020-13630, CVE-2019-16168, CVE-2020-15358, CVE-2020-13632, > CVE-2020-13631, CVE-2020-13435, CVE-2020-13434, CVE-2019-19645 > -- You received this message because you are subscribed to the Google Groups "nhusers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/nhusers/fe9d38d6-e14b-4beb-98f1-ba9a35e8e37en%40googlegroups.com.
