diff --git a/Android/android.py b/Android/android.py
index 75f73cd30993da..e6090aa1d80db0 100755
--- a/Android/android.py
+++ b/Android/android.py
@@ -187,7 +187,7 @@ def unpack_deps(host, prefix_dir):
os.chdir(prefix_dir)
deps_url = "https://github.com/beeware/cpython-android-source-deps/releases/download"
for name_ver in ["bzip2-1.0.8-3", "libffi-3.4.4-3", "openssl-3.0.15-4",
- "sqlite-3.49.1-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
+ "sqlite-3.50.4-0", "xz-5.4.6-1", "zstd-1.5.7-1"]:
filename = f"{name_ver}-{host}.tar.gz"
download(f"{deps_url}/{name_ver}/{filename}")
shutil.unpack_archive(filename)
diff --git a/Mac/BuildScript/build-installer.py b/Mac/BuildScript/build-installer.py
index b31cb766a468f4..c6002a5c30bd9c 100755
--- a/Mac/BuildScript/build-installer.py
+++ b/Mac/BuildScript/build-installer.py
@@ -37,6 +37,7 @@
Usage: see USAGE variable in the script.
"""
import platform, os, sys, getopt, textwrap, shutil, stat, time, pwd, grp
+import hashlib
try:
import urllib2 as urllib_request
except ImportError:
@@ -359,9 +360,9 @@ def library_recipes():
),
),
dict(
- name="SQLite 3.49.1",
- url="https://sqlite.org/2025/sqlite-autoconf-3490100.tar.gz",
- checksum="106642d8ccb36c5f7323b64e4152e9b719f7c0215acf5bfeac3d5e7f97b59254",
+ name="SQLite 3.50.4",
+ url="https://www.sqlite.org/2025/sqlite-autoconf-3500400.tar.gz",
+ checksum="sha3-256:330bb88febc08814d49406391891eddac59e5f812e87b83c27ab172687554375",
extra_cflags=('-Os '
'-DSQLITE_ENABLE_FTS5 '
'-DSQLITE_ENABLE_FTS4 '
@@ -795,7 +796,7 @@ def downloadURL(url, fname):
def verifyThirdPartyFile(url, checksum, fname):
"""
Download file from url to filename fname if it does not already exist.
- Abort if file contents does not match supplied md5 checksum.
+ Abort if file contents does not match supplied hashlib checksum.
"""
name = os.path.basename(fname)
if os.path.exists(fname):
@@ -805,16 +806,30 @@ def verifyThirdPartyFile(url, checksum, fname):
print("Downloading %s"%(name,))
downloadURL(url, fname)
print("Archive for %s stored as %s"%(name, fname))
- if len(checksum) == 32:
+ if ':' in checksum:
+ algo, _, checksum = checksum.partition(':')
+ assert algo in hashlib.algorithms_guaranteed, f"Unsupported {algo}, try sha3-256 or sha256 instead."
+ if algo in ("md5", "sha1"):
+ raise ValueError(f"Known insecure checksum algorithm {algo} for {fname}.")
+ if algo.startswith(("shake", "blake")):
+ raise ValueError(f"Please stick to sha2 or sha3 standard checksum algorithms, not {algo}")
+ # TODO remove length based logic AND legacy md5s after updating the ones we already list.
+ elif len(checksum) == 32:
algo = 'md5'
+ print("WARNING: insecure md5 used for {fname}", file=sys.stderr)
elif len(checksum) == 64:
algo = 'sha256'
else:
raise ValueError(checksum)
- if os.system(
- 'CHECKSUM=$(openssl %s %s) ; test "${CHECKSUM##*= }" = "%s"'
- % (algo, shellQuote(fname), checksum) ):
- fatal('%s checksum mismatch for file %s' % (algo, fname))
+ with open(fname, 'rb') as downloaded_file:
+ if hasattr(hashlib, 'file_digest'):
+ hasher = hashlib.file_digest(downloaded_file, algo) # 3.11+
+ else:
+ hasher = hashlib.new(algo, downloaded_file.read())
+ computed_checksum = hasher.hexdigest()
+ if computed_checksum != checksum:
+ fatal(f"{algo} hashlib checksum mismatch for file {fname}")
+
def build_universal_openssl(basedir, archList):
"""
diff --git a/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst
new file mode 100644
index 00000000000000..ddccf95b7d039a
--- /dev/null
+++ b/Misc/NEWS.d/next/Windows/2025-07-27-02-16-53.gh-issue-137134.W0WpDF.rst
@@ -0,0 +1 @@
+Update Windows installer to ship with SQLite 3.50.4.
diff --git a/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst
new file mode 100644
index 00000000000000..957270f5abae93
--- /dev/null
+++ b/Misc/NEWS.d/next/macOS/2025-07-27-02-17-40.gh-issue-137134.pjgITs.rst
@@ -0,0 +1 @@
+Update macOS installer to ship with SQLite version 3.50.4.
diff --git a/Misc/externals.spdx.json b/Misc/externals.spdx.json
index 69f3beec82ed34..a87af7f9173780 100644
--- a/Misc/externals.spdx.json
+++ b/Misc/externals.spdx.json
@@ -91,21 +91,21 @@
"checksums": [
{
"algorithm": "SHA256",
- "checksumValue": "e335aeb44fa36cde60ecbb6a9f8be6f5d449d645ce9b0199ee53a7e6728d19d2"
+ "checksumValue": "fb5ab81f27612b0a7b4861ba655906c76dc85ee969e7a4905d2075aff931e8d0"
}
],
- "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.49.1.0.tar.gz",
+ "downloadLocation": "https://github.com/python/cpython-source-deps/archive/refs/tags/sqlite-3.50.4.0.tar.gz",
"externalRefs": [
{
"referenceCategory": "SECURITY",
- "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.49.1.0:*:*:*:*:*:*:*",
+ "referenceLocator": "cpe:2.3:a:sqlite:sqlite:3.50.4.0:*:*:*:*:*:*:*",
"referenceType": "cpe23Type"
}
],
"licenseConcluded": "NOASSERTION",
"name": "sqlite",
"primaryPackagePurpose": "SOURCE",
- "versionInfo": "3.49.1.0"
+ "versionInfo": "3.50.4.0"
},
{
"SPDXID": "SPDXRef-PACKAGE-tcl-core",
diff --git a/PCbuild/get_externals.bat b/PCbuild/get_externals.bat
index e29054f5734d49..eff8d1ccd7f146 100644
--- a/PCbuild/get_externals.bat
+++ b/PCbuild/get_externals.bat
@@ -56,7 +56,7 @@ set libraries=%libraries% bzip2-1.0.8
if NOT "%IncludeLibffiSrc%"=="false" set libraries=%libraries% libffi-3.4.4
if NOT "%IncludeSSLSrc%"=="false" set libraries=%libraries% openssl-3.0.16
set libraries=%libraries% mpdecimal-4.0.0
-set libraries=%libraries% sqlite-3.49.1.0
+set libraries=%libraries% sqlite-3.50.4.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tcl-core-8.6.15.0
if NOT "%IncludeTkinterSrc%"=="false" set libraries=%libraries% tk-8.6.15.0
set libraries=%libraries% xz-5.2.5
diff --git a/PCbuild/python.props b/PCbuild/python.props
index ddc7696d2762fe..e1c2ff3fe3cc11 100644
--- a/PCbuild/python.props
+++ b/PCbuild/python.props
@@ -74,7 +74,7 @@
- $(ExternalsDir)sqlite-3.49.1.0\
+ $(ExternalsDir)sqlite-3.50.4.0\
$(ExternalsDir)bzip2-1.0.8\
$(ExternalsDir)xz-5.2.5\
$(ExternalsDir)libffi-3.4.4\
diff --git a/PCbuild/readme.txt b/PCbuild/readme.txt
index 3ae3255d933967..27c0d382281bdb 100644
--- a/PCbuild/readme.txt
+++ b/PCbuild/readme.txt
@@ -237,7 +237,7 @@ _ssl
again when building.
_sqlite3
- Wraps SQLite 3.49.1, which is itself built by sqlite3.vcxproj
+ Wraps SQLite 3.50.4, which is itself built by sqlite3.vcxproj
Homepage:
https://www.sqlite.org/
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy