Notifications about security bugs in SQLCipher


#1

Hello,

we’d like to use the community version of SQLCipher in our project but are worried about missing security fixes you might release in future.
Are you reporting such bugs as CVE ? (there is no CVE so far)

What recommendation do you have to ensure we’re always up to date and not missing any security patch you might release? Is there something equivalent like the CipherCare package in the commercial package for the community edition?

Thanks!
Soeren


#2

Hello @soeren. Thanks for getting in touch about SQLCipher. In order to keep up to date on SQLCipher Community Edition, we would recommend the following:

  1. Subscribe to the SQLCipher “Updates” category here on discuss.zetetic.net. We would recommend that you enable email notifications, so that you get immediate notices of any updates that are posted.
  2. Follow the SQLCipher project(s) on GitHub, so that you can be notified of any commits, updates, and issues posted there.
  3. You may also want to track SQLite’s upstream development and bug tracker as well.

With respect to CVE postings, there are two things to keep an eye on. One would be SQLite, on which SQLCipher is based. CVEs for SQLite could also affect SQLCipher packages based on the same upstream version of SQLite (though not always). We do not duplicate CVEs with SQLite to avoid redundancy. Of course if there were major security issues with SQLCipher itself that did not originate through SQLite, those would warrant their own separate CVEs.

If you are using SQLCipher as an important component in your software, you may also want to consider either Commercial Edition with CipherCare or the SQLCipher Enterprise program. A major benefit of these offerings is that you get support directly from the SQLCipher development team, as well as proactive notifications related to upgrades and other important issues.

Unfortunately we do not offer CipherCare coverage for community edition at this time.


#3

Hello @sjlombardo,

thanks for your quick reply!
Perfect, so we we’ll simply scan for SQLite and SQLCipher CVEs to cover our vulnerability management.

Thanks!
Sören