We do use FTS3 and don't provide execution of arbitrary SQL in our product code (of course, SQL injection is also not possible), but clients could write their own customizations via plugins.
--- Vladimir -----Original Message----- From: sqlite-users [mailto:[email protected]] On Behalf Of Warren Young Sent: Monday, January 28, 2019 21:05 To: SQLite mailing list <[email protected]> Subject: Re: [sqlite] Claimed vulnerability in SQLite: Info or Intox? On Jan 28, 2019, at 1:26 AM, Vladimir Barbu <[email protected]> wrote: > > This vulnerability has been addressed in SQLite 3.26.0. When could we expect > new version (official) of System.Data.SQLite which uses 3.26.0? Are you both using FTS3 *and* letting your users execute arbitrary SQL? Most of the time, the latter is a vulnerability in and of itself. _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
