<div class="container">
<h1>Security update for sqlite3</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:20323-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>May 16, 2025, 12:51 p.m.</td>
</tr>
<tr>
<th>Rating:</th>
<td>moderate</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241020">bsc#1241020</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241078">bsc#1241078</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-29087.html">CVE-2025-29087</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-29088.html">CVE-2025-29088</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29087</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.9</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29087</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.7</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29087</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29087</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29087</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">3.2</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29088</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.8</span>
<span class="cvss-vector">CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29088</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.5</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29088</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-29088</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">5.6</span>
<span class="cvss-vector">CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Micro 6.0</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for sqlite3 fixes the following issues:</p>
<ul>
<li>
<p>Update to release 3.49.1:</p>
</li>
<li>
<p>Improve portability of makefiles and configure scripts.</p>
</li>
<li>CVE-2025-29087, bsc#1241020: Fix a bug in the concat_ws()
function, introduced in version 3.44.0, that could lead to a
memory error if the separator string is very large (hundreds
of megabytes).</li>
<li>
<p>CVE-2025-29088, bsc#1241078: Enhanced the
SQLITE_DBCONFIG_LOOKASIDE interface to make it more robust
against misuse.</p>
</li>
<li>
<p>Update to release 3.49.0:</p>
</li>
<li>
<p>Enhancements to the query planner:</p>
<ul>
<li>Improve the query-time index optimization so that it works on
WITHOUT ROWID tables.</li>
<li>Better query plans for large star-query joins. This fixes
three different performance regressions that were reported
on the SQLite Forum.</li>
<li>When two or more queries have the same estimated cost, use
the one with the fewer bytes per row.</li>
</ul>
</li>
<li>Enhance the iif() SQL function so that it can accept any number
of arguments greater than or equal to two.</li>
<li>Enhance the session extension so that it works on databases
that make use of generated columns.</li>
<li>Omit the SQLITE_USE_STDIO_FOR_CONSOLE compile-time option which
was not implemented correctly and never worked right. In its place
add the SQLITE_USE_W32_FOR_CONSOLE_IO compile-time option. This
option applies to command-line tools like the CLI only, not to the
SQLite core. It causes Win32 APIs to be used for console I/O
instead of stdio. This option affects Windows builds only.</li>
<li>
<p>Three new options to sqlite3_db_config(). All default "on".
SQLITE_DBCONFIG_ENABLE_ATTACH_CREATE
SQLITE_DBCONFIG_ENABLE_ATTACH_WRITE
SQLITE_DBCONFIG_ENABLE_COMMENTS </p>
</li>
<li>
<p>Re-enable SONAME which got disabled by default in 3.48.0.</p>
</li>
<li>https://www.sqlite.org/src/forumpost/5a3b44f510df8ded</li>
<li>
<p>https://sqlite.org/forum/forumpost/ab8f15697a </p>
</li>
<li>
<p>Update to release 3.48.0:</p>
</li>
<li>
<p>Improved EXPLAIN QUERY PLAN output for covering indexes.</p>
</li>
<li>Allow a two-argument version of the iif() SQL function.</li>
<li>Also allow if() as an alternative spelling for iif().</li>
<li>Add the ".dbtotxt" command to the CLI.</li>
<li>Add the SQLITE_IOCAP_SUBPAGE_READ property to the
xDeviceCharacteristics method of the sqlite3_io_methods object.</li>
<li>Add the SQLITE_PREPARE_DONT_LOG option to sqlite3_prepare_v3()
that prevents warning messages being sent to the error log if
the SQL is ill-formed. This allows sqlite3_prepare_v3() to be
used to do test compiles of SQL to check for validity without
polluting the error log with false messages.</li>
<li>Increase the minimum allowed value of SQLITE_LIMIT_LENGTH from
1 to 30.</li>
<li>Added the SQLITE_FCNTL_NULL_IO file control.</li>
<li>Extend the FTS5 auxiliary API xInstToken() to work with prefix
queries via the insttoken configuration option and the
fts5_insttoken() SQL function.</li>
<li>
<p>Increase the maximum number of arguments to an SQL function
from 127 to 1000.</p>
</li>
<li>
<p>Update to release 3.47.2:</p>
</li>
<li>
<p>Fix a problem in text-to-floating-point conversion that affects
text values where the first 16 significant digits are
'1844674407370955'. This issue was introduced in 3.47.0 and
only arises on x64 and i386 hardware.</p>
</li>
<li>Other minor bug fixes.</li>
<li>
<p>Enable the session extension, because NodeJS 22 needs it.</p>
</li>
<li>
<p>Update to release 3.47.1:</p>
</li>
<li>
<p>Fix the makefiles so that they once again honored DESTDIR for
the "install" target.</p>
</li>
<li>Add the SQLITE_IOCAP_SUBPAGE_READ capability to the VFS, to
work around issues on some non-standard VFSes caused by making
SQLITE_DIRECT_OVERFLOW_READ the default in version 3.45.0.</li>
<li>Fix incorrect answers to certain obscure IN queries caused by
new query optimizations added in the 3.47.0 release.</li>
<li>
<p>Other minor bug fixes.</p>
</li>
<li>
<p>Update to release 3.47.0:</p>
</li>
<li>
<p>Allow arbitrary expressions in the second argument to the RAISE
function.</p>
</li>
<li>If the RHS of the ->> operator is negative, then access array
elements counting from the right.</li>
<li>Fix a problem with rolling back hot journal files in the
seldom-used unix-dotfile VFS.</li>
<li>FTS5 tables can now be dropped even if they use a non-standard
tokenizer that has not been registered.</li>
<li>Fix the group_concat() aggregate function so that it returns an
empty string, not a NULL, if it receives a single input value
which is an empty string.</li>
<li>Enhance the generate_series() table-valued function so that it
is able to recognize and use constraints on its output value.
Preupdate hooks now recognize when a column added by ALTER
TABLE ADD COLUMN has a non-null default value.</li>
<li>Improved reuse of subqueries associated with the IN operator,
especially when the IN operator has been duplicated due to
predicate push-down.</li>
<li>Use a Bloom filter on subqueries on the right-hand side of the
IN operator, in cases where that seems likely to improve
performance.</li>
<li>Ensure that queries like "SELECT func(a) FROM tab GROUP BY 1"
only invoke the func() function once per row.</li>
<li>No attempt is made to create automatic indexes on a column
that is known to be non-selective because of its use in other
indexes that have been analyzed.</li>
<li>Adjustments to the query planner so that it produces better
plans for star queries with a large number of dimension
tables.</li>
<li>Add the "order-by-subquery" optimization, that seeks to
disable sort operations in outer queries if the desired order
is obtained naturally due to ORDER BY clauses in subqueries. </li>
<li>The "indexed-subtype-expr" optimization strives to use
expressions that are part of an index rather than recomputing
the expression based on table values, as long as the query
planner can prove that the subtype of the expression will
never be used.</li>
<li>Miscellaneous coding tweaks for faster runtimes.</li>
<li>Add the experimental sqlite3_rsync program.</li>
<li>Add extension functions median(), percentile(),
percentile_cont(), and percentile_disc() to the CLI.</li>
<li>Add the .www dot-command to the CLI.</li>
<li>The sqlite3_analyzer utility now provides a break-out of
statistics for WITHOUT ROWID tables.</li>
<li>The sqldiff utility avoids creating an empty database if its
second argument does not exist.</li>
<li>Enhance the sqlite_dbpage table-valued function such that
INSERT can be used to increase or decrease the size of the
database file.</li>
<li>SQLite no longer makes any use of the "long double" data type,
as hardware support for long double is becoming less common
and long double creates challenges for some compiler tool
chains. Instead, SQLite uses Dekker's algorithm when extended
precision is needed.</li>
<li>The TCL Interface for SQLite supports TCL9. Everything
probably still works for TCL 8.5 and later, though this is not
guaranteed. Users are encouraged to upgrade to TCL9.</li>
<li>Fix a corruption-causing bug in the JavaScript "opfs" VFS.
Correct "mode=ro" handling for the "opfs" VFS. Work around a
couple of browser-specific OPFS quirks.</li>
<li>Add the fts5_tokenizer_v2 API and the locale=1 option, for
creating custom locale-aware tokenizers and fts5 tables that
may take advantage of them.</li>
<li>Add the contentless_unindexed=1 option, for creating
contentless fts5 tables that store the values of any UNINDEXED
columns persistently in the database.</li>
<li>
<p>Allow an FTS5 table to be dropped even if it uses a custom
tokenizer whose implementation is not available.</p>
</li>
<li>
<p>Update to release 3.46.1:</p>
</li>
<li>Improved robustness while parsing the tokenize= arguments in
FTS5.</li>
<li>Enhancements to covering index prediction in the query planner.</li>
<li>Do not let the number of terms on a VALUES clause be limited by
SQLITE_LIMIT_COMPOUND_SELECT, even if the VALUES clause
contains elements that appear to be variables due to
double-quoted string literals.</li>
<li>Fix the window function version of group_concat() so that it
returns an empty string if it has one or more empty string
inputs.</li>
<li>In FTS5 secure-delete mode, fix false-positive integrity-check
reports about corrupt indexes.</li>
<li>Syntax errors in ALTER TABLE should always return SQLITE_ERROR.
In some cases, they were formerly returning SQLITE_INTERNAL.</li>
<li>
<p>Other minor fixes.</p>
</li>
<li>
<p>Update to release 3.46.0:</p>
</li>
<li>
<p>https://sqlite.org/releaselog/3_46_0.html</p>
</li>
<li>
<p>Enhance PRAGMA optimize in multiple ways.</p>
</li>
<li>Enhancements to the date and time functions.</li>
<li>Add support for underscore ("_") characters between digits in
numeric literals.</li>
<li>Add the json_pretty() SQL function.</li>
<li>Query planner improvements.</li>
<li>Allocate additional memory from the heap for the SQL parser
stack if that stack overflows, rather than reporting a "parser
stack overflow" error.</li>
<li>Allow ASCII control characters within JSON5 string literals.</li>
<li>
<p>Fix the -> and ->> JSON operators so that when the right-hand
side operand is a string that looks like an integer it is still
treated as a string, because that is what PostgreSQL does.</p>
</li>
<li>
<p>Update to release 3.45.3:</p>
</li>
<li>
<p>Fix a long-standing bug (going back to version 3.24.0) that
might (rarely) cause the "old.*" values of an UPDATE trigger
to be incorrect if that trigger fires in response to an UPSERT.</p>
</li>
<li>Reduce the scope of the NOT NULL strength reduction
optimization that was added as item 8e in version 3.35.0. The
optimization was being attempted in some contexts where it did
not work, resulting in incorrect query results.</li>
<li>
<p>Add SQLITE_STRICT_SUBTYPE=1 as recommended by upstream.</p>
</li>
<li>
<p>Update to release 3.45.2:</p>
</li>
<li>
<p>Added the SQLITE_RESULT_SUBTYPE property for application-
defined SQL functions.</p>
</li>
<li>Enhancements to the JSON SQL functions</li>
<li>Add the FTS5 tokendata option to the FTS5 virtual table.</li>
<li>The SQLITE_DIRECT_OVERFLOW_READ optimization is now enabled by
default.</li>
<li>Query planner improvements</li>
<li>Increase the default value for SQLITE_MAX_PAGE_COUNT from
1073741824 to 4294967294.</li>
<li>Enhancements to the CLI</li>
<li>Restore the JSON BLOB input bug, and promise to support the
anomaly in subsequent releases, for backward compatibility.</li>
<li>Fix the PRAGMA integrity_check command so that it works on
read-only databases that contain FTS3 and FTS5 tables.</li>
<li>Fix issues associated with processing corrupt JSONB inputs.</li>
<li>Fix a long-standing bug in which a read of a few bytes past the
end of a memory-mapped segment might occur when accessing a
craftily corrupted database using memory-mapped database.</li>
<li>Fix a long-standing bug in which a NULL pointer dereference
might occur in the bytecode engine due to incorrect bytecode
being generated for a class of SQL statements that are
deliberately designed to stress the query planner but which
are otherwise pointless.</li>
<li>Fix an error in UPSERT, introduced in version 3.35.0.</li>
<li>Reduce the scope of the NOT NULL strength reduction
optimization that was added in version 3.35.0.</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Micro 6.0
<br/>
<code>zypper in -t patch SUSE-SLE-Micro-6.0-325=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Micro 6.0 (aarch64 s390x x86_64)
<ul>
<li>sqlite3-debugsource-3.49.1-1.1</li>
<li>libsqlite3-0-3.49.1-1.1</li>
<li>libsqlite3-0-debuginfo-3.49.1-1.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-29087.html">https://www.suse.com/security/cve/CVE-2025-29087.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-29088.html">https://www.suse.com/security/cve/CVE-2025-29088.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241020">https://bugzilla.suse.com/show_bug.cgi?id=1241020</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1241078">https://bugzilla.suse.com/show_bug.cgi?id=1241078</a>
</li>
</ul>
</div>