On 1/8/20, Ware, Ryan R <ryan.r.w...@intel.com> wrote:
>
> We've been following the Magellan 2.0
> (https://blade.tencent.com/magellan2/index_en.html) issues found by Tencent.
>

Why, oh why, are you doing this?

If you are a typical user of SQLite, then there are no vulnerabilities
in SQLite that you need to concern yourself with.

Now, if you have some application that allows anonymous rogue agents
on the internet to run arbitrary, unfiltered SQL statements using
SQLite, and if you enable the legacy "FTS3" extension, then the
so-called "Magellan 2.0" issues might be of concern to you.  But we
only know of a single application that fits this description - WebKit.
- and that application was patched within hours of the hack becoming
known, which was many months ago.

Tencent has a amazing marketing organization that is remarkably
effective at promoting and amplifying every little trifling bug that
their hackers find and make it sound like it will bring an end to
civilization.  I suggest that you not be drawn into the hype.

If Intel has some super-sensitive or especially vulnerable application
using SQLite that we don't know about, then you can take out a
cost-efficient consulting contract with us and we will work closely
and confidentially with you to secure your application against past
and future hacks and ensure that you stay up-to-date with all the
latest patches.  Otherwise, please just ignore Tencent.  Excessive
focus on Tencent and their vulnerability marketing organization will
merely distract you from defending against actual threats.

-- 
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to