this point, but were not mentioned in the chane log so far:
* bsc#1173641, CVE-2020-15358: heap-based buffer overflow in
multiSelectOrderBy due to mishandling of query-flattener
optimization
* bsc#1164719, CVE-2020-9327: NULL pointer dereference and
segmentation fault because of generated column optimizations in
isAuxiliaryVtabOperator
* bsc#1160439, CVE-2019-20218: selectExpander in select.c proceeds
with WITH stack unwinding even after a parsing error
* bsc#1160438, CVE-2019-19959: memory-management error via
ext/misc/zipfile.c involving embedded '\0' input
* bsc#1160309, CVE-2019-19923: improper handling of certain uses
of SELECT DISTINCT in flattenSubquery may lead to null pointer
dereference
* bsc#1159850, CVE-2019-19924: improper error handling in
sqlite3WindowRewrite()
* bsc#1159847, CVE-2019-19925: improper handling of NULL pathname
during an update of a ZIP archive
* bsc#1159715, CVE-2019-19926: improper handling of certain
errors during parsing multiSelect in select.c
* bsc#1159491, CVE-2019-19880: exprListAppendList in window.c
allows attackers to trigger an invalid pointer dereference
* bsc#1158960, CVE-2019-19603: during handling of CREATE TABLE
and CREATE VIEW statements, does not consider confusion with
a shadow table name
* bsc#1158959, CVE-2019-19646: pragma.c mishandles NOT NULL in an
integrity_check PRAGMA command in certain cases of generated
columns
* bsc#1158958, CVE-2019-19645: alter.c allows attackers to trigger
infinite recursion via certain types of self-referential views
in conjunction with ALTER TABLE statements
* bsc#1158812, CVE-2019-19317: lookupName in resolve.c omits bits
from the colUsed bitmask in the case of a generated column,
which allows attackers to cause a denial of service
* bsc#1157818, CVE-2019-19244: sqlite3,sqlite2,sqlite: The
function sqlite3Select in select.c allows a crash if a
sub-select uses both DISTINCT and window functions, and also
has certain ORDER BY usage
* bsc#928701, CVE-2015-3415: sqlite3VdbeExec comparison operator
vulnerability
* bsc#928700, CVE-2015-3414: sqlite3,sqlite2: dequoting of
collation-sequence names
* CVE-2018-20346, bsc#1119687: remote code execution
vulnerability in FTS3 (Magellan).
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=261
- update to 3.35.0:
* Added built-in SQL math functions().
(Requires the -DSQLITE_ENABLE_MATH_FUNCTIONS compile-time option.)
* Added support for ALTER TABLE DROP COLUMN.
* Generalize UPSERT:
* Allow multiple ON CONFLICT clauses that are evaluated in order,
* The final ON CONFLICT clause may omit the conflict target and yet still use DO UPDATE.
* Add support for the RETURNING clause on DELETE, INSERT, and UPDATE statements.
* Use less memory when running VACUUM on databases containing very large TEXT
or BLOB values. It is no longer necessary to hold the entire TEXT or BLOB
in memory all at once.
* Add support for the MATERIALIZED and NOT MATERIALIZED hints when specifying
common table expressions. The default behavior was formerly NOT
MATERIALIZED, but is now changed to MATERIALIZED for CTEs that are used
more than once.
* The SQLITE_DBCONFIG_ENABLE_TRIGGER and SQLITE_DBCONFIG_ENABLE_VIEW settings
are modified so that they only control triggers and views in the main
database schema or in attached database schemas and not in the TEMP schema.
TEMP triggers and views are always allowed.
* Query planner/optimizer improvements
* Enhance the ".stats" command to accept new arguments "stmt" and "vmstep",
causing prepare statement statistics and only the virtual-machine step
count to be shown, respectively.
* Add the ".filectrl data_version" command.
* Enhance the ".once" and ".output" commands so that if the destination
argument begins with "|" (indicating that output is redirected into a pipe)
then the argument does not need to be quoted.
* Fix a bug in the IN-operator optimization of version 3.33.0 that can cause
an incorrect answer.
* Fix incorrect answers from the LIKE operator if the pattern ends with "%"
OBS-URL: https://build.opensuse.org/request/show/879097
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=256
* Added the sqlite3_txn_state() interface for reporting on the
current transaction state of the database connection.
* Enhance recursive common table expressions to support two or more
recursive terms as is done by SQL Server, since this helps make
queries against graphs easier to write and faster to execute.\
* Improved error messages on CHECK constraint failures.
* The .read dot-command now accepts a pipeline in addition to a
filename.
* Added options --data-only and --nosys to the .dump dot-command.
* Added the --nosys option to the .schema dot-command.
* Table name quoting works correctly for the .import dot-command.
* The generate_series(START,END,STEP) table-valued function
extension is now built into the CLI.
* The .databases dot-command now show the status of each database
file as determined by sqlite3_db_readonly() and
sqlite3_txn_state().
* Added the --tabs command-line option that sets .mode tabs.
* The --init option reports an error if the file named as its
argument cannot be opened. The --init option also now honors the
--bail option.
* Improved estimates for the cost of running a DISTINCT operator.
* When doing an UPDATE or DELETE using a multi-column index where
only a few of the earlier columns of the index are useful for the
index lookup, postpone doing the main table seek until after all
WHERE clause constraints have been evaluated, in case those
constraints can be covered by unused later terms of the index,
thus avoiding unnecessary main table seeks.
* The new OP_SeekScan opcode is used to improve performance of
multi-column index look-ups when later columns are constrained by
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=252
* Added the SQLITE_DBCONFIG_DQS_DML and SQLITE_DBCONFIG_DQS_DDL
actions to sqlite3_db_config() for activating and deactivating
the double-quoted string literal misfeature. Both default to
"on" for legacy compatibility, but developers are encouraged
to turn them "off", perhaps using the -DSQLITE_DQS=0
compile-time option.
* -DSQLITE_DQS=0 is now a recommended compile-time option.
* Improvements to the query planner:
+ Improved optimization of AND and OR operators when one or
the other operand is a constant.
+ Enhancements to the LIKE optimization for cases when the
left-hand side column has numeric affinity.
* Added the "sqlite_dbdata" virtual table for extracting raw
low-level content from an SQLite database, even a database
that is corrupt.
* Enhancements to the CLI:
+ Add the ".recover" command which tries to recover as much
content as possible from a corrupt database file.
+ Add the ".filectrl" command useful for testing.
+ Add the long-standing ".testctrl" command to the ".help" menu.
+ Added the ".dbconfig" command
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=229
* CVE-2019-9936, bsc#1130326: running fts5 prefix queries inside
a transaction could trigger a heap-based buffer over-read.
* CVE-2019-9937, bsc#1130325: interleaving reads and writes in a
single transaction with an fts5 virtual table will lead to a
NULL Pointer Dereference.
* Enhanced window functions
* Enhanced VACUUM INTO so that it works for read-only databases.
* New query optimizations.
* Added the sqlite3_value_frombind() API for determining if the
argument to an SQL function is from a bound parameter.
* Security and compatibilities enhancements to fts3_tokenizer().
* Improved robustness against corrupt database files.
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=227
* Take advantage of the atomic-write capabilities in the F2FS
filesystem when available, for greatly reduced transaction
overhead. This currently requires the
SQLITE_ENABLE_BATCH_ATOMIC_WRITE compile-time option.
* Allow ATTACH and DETACH commands to work inside of a
transaction.
* Allow WITHOUT ROWID virtual tables to be writable if the
PRIMARY KEY contains exactly one column.
* The "fsync()" that occurs after the header is written in a
WAL reset now uses the sync settings for checkpoints.
This means it will use a "fullfsync" on macs if PRAGMA
checkpoint_fullfsync set on.
* The sqlite3_sourceid() function tries to detect if the source
code has been modified from what is checked into version
control and if there are modifications, the last four
characters of the version hash are shown as "alt1" or
"alt2". The objective is to detect accidental and/or
careless edits. A forger can subvert this feature.
* Improved de-quoting of column names for CREATE TABLE AS
statements with an aggregate query on the right-hand side.
* Fewer "stat()" system calls issued by the unix VFS.
* Enhanced the LIKE optimization so that it works with an
ESCAPE clause.
* Enhanced PRAGMA integrity_check and PRAGMA quick_check
to detect obscure row corruption that they were formerly
missing. Also update both pragmas so that they return
error text rather than SQLITE_CORRUPT when encountering
corruption in records.
* The query planner now prefers to implement FROM-clause
OBS-URL: https://build.opensuse.org/package/show/server:database/sqlite3?expand=0&rev=199
