Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

Fedora 41: sqlite Critical Integer Overflow CVE Fix FEDORA-2025-39461417a6

fedora
Calendar Grey October 3, 2025
Dist Fedora Esm H88
Critical update for Fedora 41 sqlite to address CVE-2025-6965 and integer overflow issues, securing the database engine.
cve fixes

Summary

SQLite is a C library that implements an SQL database engine. A large

subset of SQL92 is supported. A complete database is stored in a

single disk file. The API is designed for convenience and ease of use.

Applications that link against SQLite can enjoy the power and

flexibility of an SQL database without the administrative hassles of

supporting a separate database server. Version 2 and version 3 binaries

are named to permit each to be installed on a single host

SQLite is built with some non-default settings:

- Additional APIs for table's and query's metadata are enabled

(SQLITE_ENABLE_COLUMN_METADATA)

- Directory syncs are disabled (SQLITE_DISABLE_DIRSYNC)

- `secure_delete` defaults to 'on', so deleted content is overwritten

with zeros (SQLITE_SECURE_DELETE)

- `sqlite3_unlock_notify()` is enabled - this feature allows to register a

callback that's invoked when lock is removed (SQLITE_ENABLE_UNLOCK_NOTIFY)

- `dbstat` virtual table with disk space usage is enabled

- `dbpage` virtual table providing direct access to underlying database file

is enabled (SQLITE_ENABLE_DBPAGE_VTAB)

- Threadsafe mode is set to 1 - Serialized, so it is safe to use in a

multithreaded environment (SQLITE_THREADSAFE=1)

- FTS3, FTS4 and FTS5 are enabled so versions 3 to 5 of the full-text search

engine are available (SQLITE_ENABLE_FTS3, SQLITE_ENABLE_FTS4,

SQLITE_ENABLE_FTS5)

- Pattern parser in FTS3 extension supports nested parenthesis and operators

`AND`, `OR` (SQLITE_ENABLE_FTS3_PARENTHESIS)

- R*Tree index extension is enabled (SQLITE_ENABLE_RTREE)

- Extension loading is enabled

- Sessions (sqlite-session feature) is enabled

- Preupdate hook is enabled

It is also important to note that shell has some extensions as its dependencies,

so some extensions are enabled by default in SQLite shell, but not in the system

libraries. Only the aforementioned extensions are available in the libraries:

FTS3, FTS4, FTS5, R*Tree

Update Information:

cve fixes

Change Log

* Fri Sep 26 2025 Ales Nezbeda - 3.45.1-5 - Rebuild * Fri Sep 26 2025 Ales Nezbeda - 3.45.1-4 - Fix for CVE-2025-6965 - Resolves: BZ#2380236

References


[ 1 ] Bug #2359648 - CVE-2025-3277 sqlite: integer overflow in SQLite [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2359648 [ 2 ] Bug #2380236 - CVE-2025-6965 sqlite: Integer Truncation in SQLite [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2380236

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-39461417a6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
critical
Lowest
Low
Medium
High
Critical

Name: sqlite
Product: Fedora 41
Version: 3.46.1
Release: 5.fc41
Summary: Library that implements an embeddable SQL database engine

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here