{"uuid": "7ef5c055-1896-406a-9e12-1454576c8408", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-6965", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/2bc6bf4e8d9695a93a22e8caf5bc9202", "content": "# Backport PR: Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle (release/10.0)\n\nRecommended title and description for opening the servicing backport PR against `release/10.0`.\nFollows the established EF Core servicing-PR template (see #38066, #38007) and mirrors the parent change #38402.\n\n---\n\n## Title\n\n```\n[release/10.0] Switch Microsoft.Data.Sqlite and EFCore.Sqlite to SQLite3MC.PCLRaw.bundle\n```\n\n---\n\n## Description\n\n```markdown\nBackport of #38402 (with prerequisite #36551).\nFixes #38257.\n\n### Description\nChanges the `Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` packages to\nbundle `SQLite3MC.PCLRaw.bundle` (SQLite3 Multiple Ciphers) instead of\n`SQLitePCLRaw.bundle_e_sqlite3`, giving shipped consumers a native SQLite build with\nencryption support by default. This is driven by the upstream SQLite security advisories\n(CVE-2025-6965, CVE-2025-70873); the `e_sqlite3mc` bundle tracks a patched native SQLite.\n\nBecause `SQLite3MC.PCLRaw.bundle` depends on `SQLitePCLRaw.core` >= 3.0.2, the backport also\npulls in the prerequisite SQLitePCLRaw 2.1.x -> 3.0.x migration (#36551), which the parent\nPR #38402 assumed was already present on `main` but is not on `release/10.0`. Without it the\nbuild fails with NU1109/NU1605 version conflicts.\n\n### Customer impact\nThe shipped `Microsoft.Data.Sqlite` and `Microsoft.EntityFrameworkCore.Sqlite` packages now\ncarry the encryption-capable, CVE-patched native SQLite build by default. This is a documented\nlow-impact breaking change (tracked by #38257, milestone 10.0.11). Most apps are unaffected,\nbut a small number may need action:\n- Apps with a direct `SQLitePCLRaw.bundle_e_sqlite3` reference that now conflicts with the new dependency.\n- Native asset name changes (`e_sqlite3` -> `e_sqlite3mc`) for apps that load the native library by name.\n- RID coverage gaps for less common platforms.\n- Reserved SQLite3MC encryption keywords / PRAGMAs.\n- Loss of legacy double-quoted string literal support (`e_sqlite3mc` rejects double-quoted string values).\n\nApps that need the old behavior can opt out by referencing `Microsoft.Data.Sqlite.Core`\n(or `Microsoft.EntityFrameworkCore.Sqlite.Core`) together with `SQLitePCLRaw.bundle_e_sqlite3`.\nThe opt-out and all migration guidance are documented in the EF Core 10 breaking-changes doc\n(EntityFramework.Docs companion PR).\n\n### How found\nSecurity-driven change flowed down from `main` (#38402) and EF Core 11; backported to 10.0\nservicing under tracking issue #38257.\n\n### Regression\nNo. This is a deliberate, security-motivated dependency change, not a fix for a regression.\nIt is shipped as an approved low-impact breaking change in 10.0 servicing.\n\n### Testing\nThe existing Microsoft.Data.Sqlite provider matrix continues to exercise the relevant bundles\nvia separate test projects and `DefineConstants`. Locally validated on `release/10.0`:\n- Default (`e_sqlite3mc`) suite: 679 passed / 7 skipped / 0 failed (net10.0).\n- net481: 668 passed / 0 failed.\n- winsqlite3 suite: 679 passed / 0 failed (net10.0).\n- sqlite3 suite: all-skipped on Windows (pre-existing; binds to absent system SQLite).\nRestore is clean (no NU1109/NU1605) and the Sqlite product projects build against the new bundle.\n\n### Risk\nLow, but user-visible. It is a breaking change to the native SQLite build shipped by the\npackage, mitigated by: (a) a documented opt-out back to `e_sqlite3`, (b) the change being\nmilestoned and approved as a low-impact breaking change for 10.0.11, and (c) unchanged managed\nAPI surface. The main behavioral differences are the native asset rename and the lack of legacy\ndouble-quoted string literal support.\n```\n\n---\n\n## Notes / deviations from the parent PR (#38402)\n\n- **Adds prerequisite #36551.** The parent PR only contained the bundle swap because `main`\n  already had SQLitePCLRaw 3.x. On `release/10.0` the baseline is `2.1.11`, so the 3.x migration\n  is rolled into this backport (required for the build to resolve).\n- **Test project plumbing differs from `main`.** On `release/10.0` the obsolete\n  `e_sqlcipher`/`e_sqlite3mc` test csprojs were removed and `provider.sqlite3`/`provider.winsqlite3`\n  packages introduced to match the 3.x package layout, rather than reusing `main`'s\n  `sqlite3mc.Tests` project shape.\n- **Companion docs PR.** A separate EntityFramework.Docs PR documents the breaking change for\n  the `ef-core-10.0` breaking-changes page (mirrors dotnet/EntityFramework.Docs#5385).\n", "creation_timestamp": "2026-06-27T01:53:27.423545Z"}