this point, but were not mentioned in the chane log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2018-20346, bsc#1119687: remote code execution
vulnerability in FTS3 (Magellan).
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=261
- update to 3.35.0:
* Added built-in SQL math functions().
(Requires the -DSQLITE_ENABLE_MATH_FUNCTIONS compile-time option.)
* Added support for ALTER TABLE DROP COLUMN.
* Generalize UPSERT:
* Allow multiple ON CONFLICT clauses that are evaluated in order,
* The final ON CONFLICT clause may omit the conflict target and yet still use DO UPDATE.
* Add support for the RETURNING clause on DELETE, INSERT, and UPDATE statements.
* Use less memory when running VACUUM on databases containing very large TEXT
or BLOB values. It is no longer necessary to hold the entire TEXT or BLOB
in memory all at once.
* Add support for the MATERIALIZED and NOT MATERIALIZED hints when specifying
common table expressions. The default behavior was formerly NOT
MATERIALIZED, but is now changed to MATERIALIZED for CTEs that are used
more than once.
* The SQLITE_DBCONFIG_ENABLE_TRIGGER and SQLITE_DBCONFIG_ENABLE_VIEW settings
are modified so that they only control triggers and views in the main
database schema or in attached database schemas and not in the TEMP schema.
TEMP triggers and views are always allowed.
* Query planner/optimizer improvements
* Enhance the ".stats" command to accept new arguments "stmt" and "vmstep",
causing prepare statement statistics and only the virtual-machine step
count to be shown, respectively.
* Add the ".filectrl data_version" command.
* Enhance the ".once" and ".output" commands so that if the destination
argument begins with "|" (indicating that output is redirected into a pipe)
then the argument does not need to be quoted.
* Fix a bug in the IN-operator optimization of version 3.33.0 that can cause
an incorrect answer.
* Fix incorrect answers from the LIKE operator if the pattern ends with "%"
OBS-URL: https://build.opensuse.org/request/show/879097
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=256
* Added the sqlite3_txn_state() interface for reporting on the
current transaction state of the database connection.
* Enhance recursive common table expressions to support two or more
recursive terms as is done by SQL Server, since this helps make
queries against graphs easier to write and faster to execute.\
* Improved error messages on CHECK constraint failures.
* The .read dot-command now accepts a pipeline in addition to a
filename.
* Added options --data-only and --nosys to the .dump dot-command.
* Added the --nosys option to the .schema dot-command.
* Table name quoting works correctly for the .import dot-command.
* The generate_series(START,END,STEP) table-valued function
extension is now built into the CLI.
* The .databases dot-command now show the status of each database
file as determined by sqlite3_db_readonly() and
sqlite3_txn_state().
* Added the --tabs command-line option that sets .mode tabs.
* The --init option reports an error if the file named as its
argument cannot be opened. The --init option also now honors the
--bail option.
* Improved estimates for the cost of running a DISTINCT operator.
* When doing an UPDATE or DELETE using a multi-column index where
only a few of the earlier columns of the index are useful for the
index lookup, postpone doing the main table seek until after all
WHERE clause constraints have been evaluated, in case those
constraints can be covered by unused later terms of the index,
thus avoiding unnecessary main table seeks.
* The new OP_SeekScan opcode is used to improve performance of
multi-column index look-ups when later columns are constrained by
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=252
- Update to version 3.29.0
* Added the SQLITE_DBCONFIG_DQS_DML and SQLITE_DBCONFIG_DQS_DDL
actions to sqlite3_db_config() for activating and deactivating
the double-quoted string literal misfeature. Both default to
"on" for legacy compatibility, but developers are encouraged
to turn them "off", perhaps using the -DSQLITE_DQS=0
compile-time option.
* -DSQLITE_DQS=0 is now a recommended compile-time option.
* Improvements to the query planner:
+ Improved optimization of AND and OR operators when one or
the other operand is a constant.
+ Enhancements to the LIKE optimization for cases when the
left-hand side column has numeric affinity.
* Added the "sqlite_dbdata" virtual table for extracting raw
low-level content from an SQLite database, even a database
that is corrupt.
* Enhancements to the CLI:
+ Add the ".recover" command which tries to recover as much
content as possible from a corrupt database file.
+ Add the ".filectrl" command useful for testing.
+ Add the long-standing ".testctrl" command to the ".help" menu.
+ Added the ".dbconfig" command
OBS-URL: https://build.opensuse.org/request/show/714604
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sqlite3?expand=0&rev=114
* Added the SQLITE_DBCONFIG_DQS_DML and SQLITE_DBCONFIG_DQS_DDL
actions to sqlite3_db_config() for activating and deactivating
the double-quoted string literal misfeature. Both default to
"on" for legacy compatibility, but developers are encouraged
to turn them "off", perhaps using the -DSQLITE_DQS=0
compile-time option.
* -DSQLITE_DQS=0 is now a recommended compile-time option.
* Improvements to the query planner:
+ Improved optimization of AND and OR operators when one or
the other operand is a constant.
+ Enhancements to the LIKE optimization for cases when the
left-hand side column has numeric affinity.
* Added the "sqlite_dbdata" virtual table for extracting raw
low-level content from an SQLite database, even a database
that is corrupt.
* Enhancements to the CLI:
+ Add the ".recover" command which tries to recover as much
content as possible from a corrupt database file.
+ Add the ".filectrl" command useful for testing.
+ Add the long-standing ".testctrl" command to the ".help" menu.
+ Added the ".dbconfig" command
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=229
* CVE-2019-9936, bsc#1130326: running fts5 prefix queries inside
a transaction could trigger a heap-based buffer over-read.
* CVE-2019-9937, bsc#1130325: interleaving reads and writes in a
single transaction with an fts5 virtual table will lead to a
NULL Pointer Dereference.
* Enhanced window functions
* Enhanced VACUUM INTO so that it works for read-only databases.
* New query optimizations.
* Added the sqlite3_value_frombind() API for determining if the
argument to an SQL function is from a bound parameter.
* Security and compatibilities enhancements to fts3_tokenizer().
* Improved robustness against corrupt database files.
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=227
- SQLite 3.26.0:
* Optimization: When doing an UPDATE on a table with indexes on
expressions, do not update the expression indexes if they do
not refer to any of the columns of the table being updated.
* Allow the xBestIndex() method of virtual table implementations
to return SQLITE_CONSTRAINT to indicate that the proposed query
plan is unusable and should not be given further consideration.
* Added the SQLITE_DBCONFIG_DEFENSIVE option which disables the
ability to create corrupt database files using ordinary SQL.
* Added support for read-only shadow tables when the
SQLITE_DBCONFIG_DEFENSIVE option is enabled.
* Added the PRAGMA legacy_alter_table command, which if enabled
causes the ALTER TABLE command to behave like older version of
SQLite (prior to version 3.25.0) for compatibility.
* Added PRAGMA table_xinfo that works just like PRAGMA table_info
except that it also shows hidden columns in virtual tables.
* Added the explain virtual table as a run-time loadable
extension.
* Add a limit counter to the query planner to prevent excessive
sqlite3_prepare() times for certain pathological SQL inputs.
* Added support for the sqlite3_normalized_sql() interface, when
compiling with SQLITE_ENABLE_NORMALIZE.
* Enhanced triggers so that they can use table-valued functions
that exist in schemas other than the schema where the trigger
is defined.
* Improvements to the ".help" command in the CLI.
* The SQLITE_HISTORY environment variable, if it exists,
specifies the name of the command-line editing history file.
* The --deserialize option associated with opening a new database
in the CLI cause the database file to be read into memory and
accessed using the sqlite3_deserialize() API. This simplifies
running tests on a database without modifying the file on disk.
OBS-URL: https://build.opensuse.org/request/show/664348
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/sqlite3?expand=0&rev=110
