We’re pleased to announce the immediate availability of SQLCipher 4.9.0. This is a patch release and security update that:
- Updates the SQLite baseline to SQLite 3.49.2 to address a security issue in the upstream SQLite library.
- Fixes a small resource leak related to library cleanup when compiling with
SQLITE_OMIT_AUTOINITdefined.
The SQLite 3.49.2 update fixes a bug that could allow someone with access to run arbitrary CREATE TABLE statements to trigger a memory error and process crash. The issue was introduced along with NOT NULL optimizations in SQLite 3.40.0 and subsequently incorporated into SQLCipher 4.5.4.
Since it is extremely unusual for secured applications to allow untrusted schema modifications, this may be classified as a moderate-severity issue. Applications that use SQLCipher 4.5.4 through 4.8.0 and allow untrusted schema modification are strongly advised to upgrade.
Important Note: Applications upgrading from versions of SQLCipher 4.6.1 or earlier should be aware that this version of SQLCipher incorporates several potential breaking changes from SQLCipher 4.7.0. Please carefully review the 4.7.0 release notes before upgrading.