Hi Carlos 2016-03-01 19:27 GMT+01:00 Carlos Garnacho <carl...@gnome.org>: > I talked with them (Richard Hipp and Dan Kennedy) through private > email. The solutions basically seemed to be: > - Including a static sqlite copy wherever fts3_tokenizer() is needed > - Using FTS5, which offers a way to customize FTS tokenizing that are > not affected by this vulnerability > - Adding such a similar way to FTS3 > > Basically, the vulnerability is completely intrinsic to the > fts3_tokenizer() call with 2 arguments, they can't both fix the cve > and keep offering it unchanged. Of those three options, all three > require changes in the users of this call, plus for the third we'd > have to wait for an hypothetical change, and wouldn't erase 3.11 from > earth either... > > So I took solutions 1 and 2 wherever they apply. I also considered > backporting the FTS5 changes to stable branches, but it's too many > changes and too bleeding edge for me to be comfortable with it...
Thanks for the explanation. I'm glad to hear that this embedded cope copy is only a workaround for the stable 1.6 branch. How far away is 1.7/1.8 from being declared stable? Regards, Michael -- Why is it that all of the instruments seeking intelligent life in the universe are pointed away from Earth? _______________________________________________ tracker-list mailing list tracker-list@gnome.org https://mail.gnome.org/mailman/listinfo/tracker-list
