sqlite3 - Debian Package Tracker

general

source: sqlite3 (main)
version: 3.53.2-1
maintainer: Laszlo Boszormenyi (GCS) (DMD)
arch: all any
std-ver: 4.7.2
VCS: unknown

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.34.1-3
o-o-sec: 3.34.1-3+deb11u1
oldstable: 3.40.1-2+deb12u2
stable: 3.46.1-7+deb13u1
testing: 3.46.1-9
unstable: 3.53.2-1

versioned links

3.34.1-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.34.1-3+deb11u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.40.1-2+deb12u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.46.1-7+deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.46.1-9: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
3.53.2-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

lemon (1 bugs: 0, 0, 1, 0)
libsqlite3-0 (15 bugs: 0, 15, 0, 0)
libsqlite3-dev (4 bugs: 0, 3, 1, 0)
libsqlite3-ext-csv
libsqlite3-ext-icu
libsqlite3-tcl (2 bugs: 0, 2, 0, 0)
sqlite3 (22 bugs: 0, 13, 9, 0)
sqlite3-doc
sqlite3-tools

action needed

2 security issues in forky high

There are 2 open security issues in forky.

2 important issues:

CVE-2026-11822: SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
CVE-2026-11824: SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

Created: 2026-06-13 Last update: 2026-06-14 22:30

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2026-06-16 Last update: 2026-06-21 05:49

5 bugs tagged patch in the BTS normal

The BTS contains patches fixing 5 bugs, consider including or untagging them.

Created: 2026-06-02 Last update: 2026-06-21 05:00

lintian reports 6 warnings normal

Lintian reports 6 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-06-15 Last update: 2026-06-15 00:32

2 low-priority security issues in trixie low

There are 2 open security issues in trixie.

2 issues left for the package maintainer to handle:

CVE-2026-11822: (needs triaging) SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
CVE-2026-11824: (needs triaging) SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-06-13 Last update: 2026-06-14 22:30

4 low-priority security issues in bookworm low

There are 4 open security issues in bookworm.

4 issues left for the package maintainer to handle:

CVE-2025-7458: (needs triaging) An integer overflow in the sqlite3KeyInfoFromExprList function in SQLite versions 3.39.2 through 3.41.1 allows an attacker with the ability to execute arbitrary SQL statements to cause a denial of service or disclose sensitive information from process memory via a crafted SELECT statement with a large number of expressions in the ORDER BY clause.
CVE-2025-7709: (needs triaging) An integer overflow exists in the FTS5 https://sqlite.org/fts5.html extension. It occurs when the size of an array of tombstone pointers is calculated and truncated into a 32-bit integer. A pointer to partially controlled data can then be written out of bounds.
CVE-2026-11822: (postponed; to be fixed through a stable update) SQLite before 3.53.2 contains memory corruption vulnerabilities in the FTS5 full-text search extension that allow attackers to cause process crashes, memory exhaustion, or arbitrary code execution by supplying a crafted database with malformed FTS5 page data. Attackers can trigger an out-of-bounds read in fts5LeafSeek() via an attacker-controlled loop bound and a heap buffer overflow write in fts5ChunkIterate() through a crafted continuation page causing an integer underflow, exploitable when an FTS5 MATCH query is executed against the malicious database.
CVE-2026-11824: (postponed; to be fixed through a stable update) SQLite before 3.53.2 contains a heap-based buffer overflow vulnerability in the FTS5 full-text search extension that allows attackers to cause a crash or execute arbitrary code by supplying a crafted database with malicious continuation page metadata specifying a szLeaf value smaller than 4. Attackers can trigger an integer underflow in fts5ChunkIterate() causing an inflated remaining byte count during FTS5 MATCH query processing, leading to a heap buffer overflow of attacker-controlled data in applications compiled with SQLITE_ENABLE_FTS5.

You can find information about how to handle these issues in the security team's documentation.

Created: 2025-04-11 Last update: 2026-06-14 22:30

debian/patches: 2 patches to forward upstream low

Among the 3 debian patches available in version 3.53.2-1 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-06-14 13:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.4 instead of 4.7.2).

Created: 2025-02-21 Last update: 2026-06-14 13:30

testing migrations

excuses:
- Migration status for sqlite3 (3.46.1-9 to 3.53.2-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Autopkgtest for cyrus-imapd/3.12.2-1: amd64: Pass, arm64: Test triggered (failure will be ignored), i386: Failed (not a regression) ♻ (reference ♻), loong64: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Autopkgtest for lighttpd/1.4.82-3: s390x: Pass ♻
- ∙ ∙ Autopkgtest for nodejs/24.16.0+dfsg+~cs24.13.1-2: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for orthanc/1.12.11+dfsg-7: s390x: Pass ♻
- ∙ ∙ Autopkgtest for postfix/3.11.3-2: s390x: Pass ♻
- ∙ ∙ Autopkgtest for presage/0.9.1-2.7: s390x: No tests, superficial or marked flaky ♻
- ∙ ∙ Autopkgtest for python3.13/3.13.14-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for python3.14/3.14.6-1: amd64: Pass, arm64: Pass, i386: Pass, loong64: Pass, ppc64el: Pass, riscv64: Test triggered (failure will be ignored), s390x: Pass
- ∙ ∙ Autopkgtest for restfuldb/0.16.0+dfsg-1.1: s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for ruby-sqlite3/2.9.3-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Regression ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- ∙ ∙ Autopkgtest for tinysparql/3.11.1-1: amd64: Regression ♻ (reference ♻), arm64: Regression ♻ (reference ♻), i386: Regression ♻ (reference ♻), loong64: Failed (not a regression) ♻ (reference ♻), ppc64el: Regression ♻ (reference ♻), riscv64: Regression ♻ (reference ♻), s390x: Regression ♻ (reference ♻)
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/s/sqlite3.html
- ∙ ∙ Reproduced on amd64 - info
- ∙ ∙ Reproduced on arm64 - info
- ∙ ∙ Reproduced on armhf - info
- ∙ ∙ Reproduced on i386 - info
- ∙ ∙ 7 days old (needed 2 days)
- Not considered

news

[rss feed]

[2026-06-14] Accepted sqlite3 3.53.2-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2026-03-01] Accepted sqlite3 3.46.1-7+deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2026-01-29] sqlite3 3.46.1-9 MIGRATED to testing (Debian testing watch)
[2026-01-24] Accepted sqlite3 3.46.1-9 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-09-13] sqlite3 3.46.1-8 MIGRATED to testing (Debian testing watch)
[2025-09-09] Accepted sqlite3 3.46.1-8 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-08-31] Accepted sqlite3 3.40.1-2+deb12u2 (source) into oldstable-proposed-updates (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2025-07-31] sqlite3 3.46.1-7 MIGRATED to testing (Debian testing watch)
[2025-07-25] Accepted sqlite3 3.46.1-7 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-06-02] sqlite3 3.46.1-6 MIGRATED to testing (Debian testing watch)
[2025-05-28] Accepted sqlite3 3.46.1-6 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-05-26] Accepted sqlite3 3.46.1-5 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-05-14] sqlite3 3.46.1-4 MIGRATED to testing (Debian testing watch)
[2025-05-04] Accepted sqlite3 3.46.1-4 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-04-14] sqlite3 3.46.1-3 MIGRATED to testing (Debian testing watch)
[2025-04-09] Accepted sqlite3 3.46.1-3 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-03-13] sqlite3 3.46.1-2 MIGRATED to testing (Debian testing watch)
[2025-03-08] Accepted sqlite3 3.46.1-2 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2025-03-06] Accepted sqlite3 3.46.1-2~exp (source amd64 all) into experimental (Debian FTP Masters) (signed by: Laszlo Boszormenyi)
[2024-11-03] Accepted sqlite3 3.40.1-2+deb12u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Adrian Bunk)
[2024-10-20] sqlite3 3.46.1-1 MIGRATED to testing (Debian testing watch)
[2024-09-30] Accepted sqlite3 3.34.1-3+deb11u1 (source) into oldstable-security (Adrian Bunk)
[2024-08-14] Accepted sqlite3 3.46.1-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-06-07] sqlite3 3.46.0-1 MIGRATED to testing (Debian testing watch)
[2024-05-31] Accepted sqlite3 3.46.0-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-05-07] Accepted sqlite3 3.45.3-2~exp1 (source) into experimental (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-05-06] sqlite3 3.45.3-1 MIGRATED to testing (Debian testing watch)
[2024-04-16] Accepted sqlite3 3.45.3-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-03-13] Accepted sqlite3 3.45.2-1 (source) into unstable (Laszlo Boszormenyi (GCS)) (signed by: Laszlo Boszormenyi)
[2024-02-11] sqlite3 3.45.1-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 45 47
RC: 0
I&N: 32 34
M&W: 13
F&P: 0
patch: 5

links

homepage
lintian (0, 6)
buildd: logs, reproducibility, cross
popcon
browse source code
other distros
security tracker
screenshots
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 3.46.1-9