It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Just did a search of my computer for SQLite instances ..

GOG Galaxy has installed old versions of SQLite, which are now considered exploitable security vulnerabilities.

These need updating / weeded out by GOG Galaxy if there are legacy installations no longer in use.

Could you guys address this as soon as possible.

https://www.sqlite.org/index.html

The latest release is v3.39.4 released 29th September 2022

Couple of CVEs' in the changelog https://www.sqlite.org/releaselog/3_39_4.html

The ones installed by Galaxy were last modified in February 2022 see screenshot below ..
Attachments:
untitled.png (26 Kb)
Post edited November 08, 2022 by alt3rn1ty
@Moderators - Could you bring this to the attention of the developers ASAP please.
avatar
alt3rn1ty: @Moderators - Could you bring this to the attention of the developers ASAP please.
Open a support ticket. There's also the Report a Bug option in the GOG Galaxy menu, but I haven't seen anyone handle bug reports filed there.

Staff don't scour the forum for reports of technical problems. They're only to be contacted when you're having trouble with a support ticket; they're not an alternative to the support system itself.
Uninstalled GOG Galaxy until this is fixed.
Something to remember / know :

....
CVEs ("Common Vulnerabilities and Exposures") about SQLite probably do not apply to your use of SQLite.

All historical vulnerabilities reported against SQLite require at least one of these preconditions:

- The attacker can submit and run arbitrary SQL statements.

- The attacker can submit a maliciously crafted database file to the application that the application will then open and query.

Few real-world applications meet either of these preconditions, and hence few real-world applications are vulnerable, even if they use older and unpatched versions of SQLite.

The SQLite development team fixes bugs promptly, usually within hours of discovery. New releases of SQLite are issued if the bug seems likely to impact real-world applications.

Grey-hat hackers are rewarded based on the number and severity of CVEs that they write. This results in a proliferation of CVEs that have minor impact, or no impact at all, but which make exaggerated impact claims.

Very few CVEs written about SQLite are real vulnerabilities in the sense that they do not give any new capabilities to an attacker.
....
For info the latest CVE, as in the one mentioned in the OP, was discovered in early march but only fixed in late July.
Post edited November 08, 2022 by Gersen