SUSE-SU-2025:20323-1: moderate: Security update for sqlite3
SLE-SECURITY-UPDATES
null at suse.de
Wed May 28 09:30:24 UTC 2025
# Security update for sqlite3
Announcement ID: SUSE-SU-2025:20323-1
Release Date: May 16, 2025, 12:51 p.m.
Rating: moderate
References:
* bsc#1241020
* bsc#1241078
Cross-References:
* CVE-2025-29087
* CVE-2025-29088
CVSS scores:
* CVE-2025-29087 ( SUSE ): 5.9
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N
* CVE-2025-29087 ( SUSE ): 5.7 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L
* CVE-2025-29087 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-29087 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2025-29087 ( NVD ): 3.2 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
* CVE-2025-29088 ( SUSE ): 6.8
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-29088 ( SUSE ): 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-29088 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-29088 ( NVD ): 5.6 CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected Products:
* SUSE Linux Micro 6.0
An update that solves two vulnerabilities can now be installed.
## Description:
This update for sqlite3 fixes the following issues:
* Update to release 3.49.1:
* Improve portability of makefiles and configure scripts.
* CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws() function,
introduced in version 3.44.0, that could lead to a memory error if the
separator string is very large (hundreds of megabytes).
* CVE-2025-29088, bsc#1241078: Enhanced the SQLITE_DBCONFIG_LOOKASIDE
interface to make it more robust against misuse.
* Update to release 3.49.0:
* Enhancements to the query planner:
* Improve the query-time index optimization so that it works on WITHOUT ROWID tables.
* Better query plans for large star-query joins. This fixes three different performance regressions that were reported on the SQLite Forum.
* When two or more queries have the same estimated cost, use the one with the fewer bytes per row.
* Enhance the iif() SQL function so that it can accept any number of arguments
greater than or equal to two.
* Enhance the session extension so that it works on databases that make use of
generated columns.
* Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which was not
implemented correctly and never worked right. In its place add the
SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This option applies to
command-line tools like the CLI only, not to the SQLite core. It causes
Win32 APIs to be used for console I/O instead of stdio. This option affects
Windows builds only.
* Three new options to sqlite3_db_config(). All default "on".
SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE
SQLITE_DBCONFIG_ENABLE_COMMENTS
* Re-enable SONAME which got disabled by default in 3.48.0.
* https://www.sqlite.org/src/forumpost/5a3b44f510df8ded
* https://sqlite.org/forum/forumpost/ab8f15697a
* Update to release 3.48.0:
* Improved EXPLAIN QUERY PLAN output for covering indexes.
* Allow a two-argument version of the iif() SQL function.
* Also allow if() as an alternative spelling for iif().
* Add the ".dbtotxt" command to the CLI.
* Add the SQLITE_IOCAP_SUBPAGE_READ property to the xDeviceCharacteristics
method of the sqlite3_io_methods object.
* Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3() that prevents
warning messages being sent to the error log if the SQL is ill-formed. This
allows sqlite3_prepare_v3() to be used to do test compiles of SQL to check
for validity without polluting the error log with false messages.
* Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from 1 to 30.
* Added the SQLITE_FCNTL_NULL_IO file control.
* Extend the FTS5 auxiliary API xInstToken() to work with prefix queries via
the insttoken configuration option and the fts5_insttoken() SQL function.
* Increase the maximum number of arguments to an SQL function from 127 to
1000.
* Update to release 3.47.2:
* Fix a problem in text-to-floating-point conversion that affects text values
where the first 16 significant digits are '1844674407370955'. This issue was
introduced in 3.47.0 and only arises on x64 and i386 hardware.
* Other minor bug fixes.
* Enable the session extension, because NodeJS 22 needs it.
* Update to release 3.47.1:
* Fix the makefiles so that they once again honored DESTDIR for the "install"
target.
* Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to work around
issues on some non-standard VFSes caused by making
SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0.
* Fix incorrect answers to certain obscure IN queries caused by new query
optimizations added in the 3.47.0 release.
* Other minor bug fixes.
* Update to release 3.47.0:
* Allow arbitrary expressions in the second argument to the RAISE function.
* If the RHS of the ->> operator is negative, then access array elements
counting from the right.
* Fix a problem with rolling back hot journal files in the seldom-used unix-
dotfile VFS.
* FTS5 tables can now be dropped even if they use a non-standard tokenizer
that has not been registered.
* Fix the group_concat() aggregate function so that it returns an empty
string, not a NULL, if it receives a single input value which is an empty
string.
* Enhance the generate_series() table-valued function so that it is able to
recognize and use constraints on its output value. Preupdate hooks now
recognize when a column added by ALTER TABLE ADD COLUMN has a non-null
default value.
* Improved reuse of subqueries associated with the IN operator, especially
when the IN operator has been duplicated due to predicate push-down.
* Use a Bloom filter on subqueries on the right-hand side of the IN operator,
in cases where that seems likely to improve performance.
* Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1" only invoke
the func() function once per row.
* No attempt is made to create automatic indexes on a column that is known to
be non-selective because of its use in other indexes that have been
analyzed.
* Adjustments to the query planner so that it produces better plans for star
queries with a large number of dimension tables.
* Add the "order-by-subquery" optimization, that seeks to disable sort
operations in outer queries if the desired order is obtained naturally due
to ORDER BY clauses in subqueries.
* The "indexed-subtype-expr" optimization strives to use expressions that are
part of an index rather than recomputing the expression based on table
values, as long as the query planner can prove that the subtype of the
expression will never be used.
* Miscellaneous coding tweaks for faster runtimes.
* Add the experimental sqlite3_rsync program.
* Add extension functions median(), percentile(), percentile_cont(), and
percentile_disc() to the CLI.
* Add the .www dot-command to the CLI.
* The sqlite3_analyzer utility now provides a break-out of statistics for
WITHOUT ROWID tables.
* The sqldiff utility avoids creating an empty database if its second argument
does not exist.
* Enhance the sqlite_dbpage table-valued function such that INSERT can be used
to increase or decrease the size of the database file.
* SQLite no longer makes any use of the "long double" data type, as hardware
support for long double is becoming less common and long double creates
challenges for some compiler tool chains. Instead, SQLite uses Dekker's
algorithm when extended precision is needed.
* The TCL Interface for SQLite supports TCL9. Everything probably still works
for TCL 8.5 and later, though this is not guaranteed. Users are encouraged
to upgrade to TCL9.
* Fix a corruption-causing bug in the JavaScript "opfs" VFS. Correct "mode=ro"
handling for the "opfs" VFS. Work around a couple of browser-specific OPFS
quirks.
* Add the fts5_tokenizer_v2 API and the locale=1 option, for creating custom
locale-aware tokenizers and fts5 tables that may take advantage of them.
* Add the contentless_unindexed=1 option, for creating contentless fts5 tables
that store the values of any UNINDEXED columns persistently in the database.
* Allow an FTS5 table to be dropped even if it uses a custom tokenizer whose
implementation is not available.
* Update to release 3.46.1:
* Improved robustness while parsing the tokenize= arguments in FTS5.
* Enhancements to covering index prediction in the query planner.
* Do not let the number of terms on a VALUES clause be limited by
SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause contains elements
that appear to be variables due to double-quoted string literals.
* Fix the window function version of group_concat() so that it returns an
empty string if it has one or more empty string inputs.
* In FTS5 secure-delete mode, fix false-positive integrity-check reports about
corrupt indexes.
* Syntax errors in ALTER TABLE should always return SQLITE_ERROR. In some
cases, they were formerly returning SQLITE_INTERNAL.
* Other minor fixes.
* Update to release 3.46.0:
* https://sqlite.org/releaselog/3_46_0.html
* Enhance PRAGMA optimize in multiple ways.
* Enhancements to the date and time functions.
* Add support for underscore ("_") characters between digits in numeric
literals.
* Add the json_pretty() SQL function.
* Query planner improvements.
* Allocate additional memory from the heap for the SQL parser stack if that
stack overflows, rather than reporting a "parser stack overflow" error.
* Allow ASCII control characters within JSON5 string literals.
* Fix the -> and ->> JSON operators so that when the right-hand side operand
is a string that looks like an integer it is still treated as a string,
because that is what PostgreSQL does.
* Update to release 3.45.3:
* Fix a long-standing bug (going back to version 3.24.0) that might (rarely)
cause the "old.*" values of an UPDATE trigger to be incorrect if that
trigger fires in response to an UPSERT.
* Reduce the scope of the NOT NULL strength reduction optimization that was
added as item 8e in version 3.35.0. The optimization was being attempted in
some contexts where it did not work, resulting in incorrect query results.
* Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream.
* Update to release 3.45.2:
* Added the SQLITE_RESULT_SUBTYPE property for application- defined SQL
functions.
* Enhancements to the JSON SQL functions
* Add the FTS5 tokendata option to the FTS5 virtual table.
* The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by default.
* Query planner improvements
* Increase the default value for SQLITE_MAX_PAGE_COUNT from 1073741824 to
4294967294.
* Enhancements to the CLI
* Restore the JSON BLOB input bug, and promise to support the anomaly in
subsequent releases, for backward compatibility.
* Fix the PRAGMA integrity_check command so that it works on read-only
databases that contain FTS3 and FTS5 tables.
* Fix issues associated with processing corrupt JSONB inputs.
* Fix a long-standing bug in which a read of a few bytes past the end of a
memory-mapped segment might occur when accessing a craftily corrupted
database using memory-mapped database.
* Fix a long-standing bug in which a NULL pointer dereference might occur in
the bytecode engine due to incorrect bytecode being generated for a class of
SQL statements that are deliberately designed to stress the query planner
but which are otherwise pointless.
* Fix an error in UPSERT, introduced in version 3.35.0.
* Reduce the scope of the NOT NULL strength reduction optimization that was
added in version 3.35.0.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Micro 6.0
zypper in -t patch SUSE-SLE-Micro-6.0-325=1
## Package List:
* SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
* sqlite3-debugsource-3.49.1-1.1
* libsqlite3-0-3.49.1-1.1
* libsqlite3-0-debuginfo-3.49.1-1.1
## References:
* https://www.suse.com/security/cve/CVE-2025-29087.html
* https://www.suse.com/security/cve/CVE-2025-29088.html
* https://bugzilla.suse.com/show_bug.cgi?id=1241020
* https://bugzilla.suse.com/show_bug.cgi?id=1241078
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20250528/e077d7e5/attachment.htm>
More information about the sle-security-updates
mailing list