{"uuid": "aa4a678c-c4a0-4304-adcf-ee87e205ba5b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-70873", "type": "seen", "source": "https://gist.github.com/ViveliDuCh/d3f7732e80ef2881f1817d6ff2a6b95f", "content": "# Step 3 (docs) \u2014 full code diff + draft docs PR for the SQLite3MC backport (8.0)\n\nCompanion to the [SQLite3MC 8.0 backport gist](https://gist.github.com/ViveliDuCh/624ca9db650db5005896a19a013f48f4). That gist describes **Step 3 (docs)** in prose; this one provides the actual, apply-ready unified diff plus a ready-to-paste **draft docs PR title and description**.\n\n- **Repo:** `dotnet/EntityFramework.Docs`\n- **File:** `entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md`\n- **Mirrors:** [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385) (the EF Core 11 page), adapted \"where applicable\" for the 8.0 servicing backport of [dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402) (part of [dotnet/efcore#38257](https://github.com/dotnet/efcore/issues/38257)).\n\n## What mirrors #5385 vs. what's adapted for 8.0\n\n| Aspect in #5385 (11.0 page) | 8.0 page |\n| --- | --- |\n| New **Low-impact** entry *\"Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\"* | \u2705 Mirrored \u2014 heading levels adapted to the 8.0 page's `##` / `###` / `####` convention |\n| Row added to a per-section *Low-impact changes* table | \u2705 Mirrored into the 8.0 page's single top-of-page **Summary** table |\n| Edits to *\"Encryption-enabled SQLite packages have been removed\"* | \u274c Skipped \u2014 section doesn't exist on 8.0 (no SQLitePCLRaw 3.x removal happened on 8.0) |\n| Edits to *\"Some SQLitePCLRaw bundle packages have been removed\"* (incl. the `bundle_e_sqlite3mc` \u2192 `SQLite3MC.PCLRaw.bundle` snippet) | \u274c Skipped \u2014 section doesn't exist on 8.0 |\n| Absolute \u2192 relative Learn link fix in the Cosmos entry | \u274c Skipped \u2014 that entry/line isn't on the 8.0 page |\n| Opt-out bundle version `3.x.x` | \ud83d\udd01 `2.1.6` (the version 8.0 shipped with) |\n| Package `Version=\"11.0.0\"` | \ud83d\udd01 `Version=\"8.0.x\"` |\n| *\"Why\"* references the removed `bundle_e_sqlcipher` section | \ud83d\udd01 Reworded \u2014 `bundle_e_sqlcipher` was **not** removed on 8.0; CVE rationale kept |\n| `ms.date` bump | \u2705 Mirrored (bumped to the edit date) |\n\n> The new entry is **Low-impact** because, for unencrypted databases, `e_sqlite3mc` behaves identically to `e_sqlite3`; the change is a native-bundle swap with documented, narrow edge cases and an opt-out.\n\n## Step 3 \u2014 full code diff\n\nApply against the 8.0 breaking-changes page (`git apply`, or just read it):\n\n````diff\ndiff --git a/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md b/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\nindex d10766d..246a012 100644\n--- a/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\n+++ b/entity-framework/core/what-is-new/ef-core-8.0/breaking-changes.md\n@@ -2,7 +2,7 @@\n title: Breaking changes in EF Core 8.0 (EF8) - EF Core\n description: Complete list of breaking changes introduced in Entity Framework Core 8.0 (EF8)\n author: SamMonoRT\n-ms.date: 10/04/2024\n+ms.date: 06/26/2026\n uid: core/what-is-new/ef-core-8.0/breaking-changes\n ---\n \n@@ -37,6 +37,7 @@ EF Core 8 targets .NET 8. Applications targeting older .NET, .NET Core, and .NET\n | [SQL Server key values are compared case-insensitively](#casekeys) | Low |\n | [Multiple AddDbContext calls are applied in different order](#AddDbContext) | Low |\n | [EntityTypeAttributeConventionBase replaced with TypeAttributeConventionBase](#attributeConventionBase) | Low |\n+| [Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers](#sqlite3mc) | Low |\n \n ## High-impact changes\n \n@@ -688,3 +689,56 @@ In EF Core 8.0 `EntityTypeAttributeConventionBase` was renamed to `TypeAttribute\n \n Replace `EntityTypeAttributeConventionBase` usages with `TypeAttributeConventionBase`.\n \n+\n+\n+### Microsoft.Data.Sqlite now bundles SQLite3 Multiple Ciphers\n+\n+[Tracking PR dotnet/efcore#38402](https://github.com/dotnet/efcore/pull/38402)\n+\n+#### Old behavior\n+\n+The `Microsoft.Data.Sqlite` package referenced `SQLitePCLRaw.bundle_e_sqlite3` (version 2.1.6 on the 8.0 release branch), which provides the standard `e_sqlite3` native SQLite build. This build has no encryption support, so setting a password (for example, via `SqliteConnectionStringBuilder.Password` or the `Password` connection-string keyword) failed at runtime.\n+\n+#### New behavior\n+\n+Beginning with the 8.0.x servicing release that includes this change, the `Microsoft.Data.Sqlite` package references `SQLite3MC.PCLRaw.bundle`, which provides the `e_sqlite3mc` native build ([SQLite3 Multiple Ciphers](https://github.com/utelle/SQLite3MultipleCiphers)). This build receives updates on NuGet.org more promptly than `SQLitePCLRaw.bundle_e_sqlite3`.\n+\n+As an added bonus, encryption (including setting a password) now works out of the box. See the [SQLite3 Multiple Ciphers documentation](https://github.com/utelle/SQLite3MultipleCiphers-NuGet#passphrase-based-database-encryption-support) for details on enabling passphrase-based database encryption.\n+\n+This change also applies to the EF Core SQLite provider (`Microsoft.EntityFrameworkCore.Sqlite`), which references `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n+\n+#### Why\n+\n+The primary reason for the switch is maintenance and security: new versions of the `e_sqlite3` native build are no longer published to NuGet.org through `SQLitePCLRaw.bundle_e_sqlite3` in a timely manner, which means security fixes in upstream SQLite (such as CVE-2025-6965 and CVE-2025-70873) can be delayed. SQLite3 Multiple Ciphers is an actively maintained project that tracks upstream SQLite releases and ships updated builds promptly, so it was adopted as the default native build for `Microsoft.Data.Sqlite`. As an added bonus, it also supports encryption.\n+\n+#### Mitigations\n+\n+For most applications, **no action is required**. SQLite3 Multiple Ciphers is a superset of SQLite that behaves identically to the standard build for unencrypted databases\u2014it only applies encryption when you explicitly supply a key or password. Existing unencrypted databases continue to open and work unchanged.\n+\n+Review the following cases, which may require action in some applications:\n+\n+- **Direct `SQLitePCLRaw.bundle_e_sqlite3` reference.** If your application directly references `SQLitePCLRaw.bundle_e_sqlite3`, it conflicts with the new `SQLite3MC.PCLRaw.bundle` dependency brought in by `Microsoft.Data.Sqlite` (or `Microsoft.EntityFrameworkCore.Sqlite`). Remove the direct `SQLitePCLRaw.bundle_e_sqlite3` reference unless you intentionally switch to the `.Core` packages shown below.\n+\n+- **Native library and provider name change.** The bundled native library is now `e_sqlite3mc` (rather than `e_sqlite3`), and the provider initialized by the bundle is `SQLite3Provider_e_sqlite3mc`. This matters if your application:\n+ - References a specific native asset filename (for example, `e_sqlite3`) in publishing, trimming, AOT, or single-file configuration. Update those references to `e_sqlite3mc`.\n+\n+- **Platform (RID) coverage.** SQLite3 Multiple Ciphers doesn't currently include native binaries for every runtime identifier covered by `SourceGear.sqlite3`; for example, `linux-riscv64`, `linux-musl-riscv64`, and `linux-musl-s390x` aren't included. If you target a platform that the new bundle doesn't include, the native library may fail to load at runtime. In that case, revert to the standard build using the package references below.\n+\n+- **Reserved encryption keywords.** SQLite3 Multiple Ciphers reserves certain connection-string/URI parameters and PRAGMAs (such as `key`, `hexkey`, and `cipher`) for encryption configuration. This is unlikely to affect typical applications, but if you happened to use these names for unrelated purposes, behavior may differ.\n+\n+- **Double-quoted string literal support.** `e_sqlite3mc` doesn't include SQLite's legacy support for double-quoted string literals. If your SQL uses double quotes for string values, change it to use single quotes; double quotes should be used only for identifiers. Review raw SQL in your application (for example, SQL passed to `FromSql`, `ExecuteSql`, or migrations operations), and use SQL logging or integration tests to identify affected commands.\n+\n+If you want to keep using the standard, non-encrypted `e_sqlite3` build, reference `Microsoft.Data.Sqlite.Core` together with `SQLitePCLRaw.bundle_e_sqlite3` instead of the `Microsoft.Data.Sqlite` meta-package:\n+\n+```xml\n+\n+\n+```\n+\n+For EF Core, reference `Microsoft.EntityFrameworkCore.Sqlite.Core` instead of `Microsoft.EntityFrameworkCore.Sqlite` and add the standard bundle:\n+\n+```xml\n+\n+\n+```\n+\n````\n\n## Draft docs PR (mirror of #5385 for the 8.0 page)\n\nMirrors the merged [dotnet/EntityFramework.Docs#5385](https://github.com/dotnet/EntityFramework.Docs/pull/5385), trimmed to only what applies to the 8.0 page. Open in `dotnet/EntityFramework.Docs` (same base branch the docs team is taking 8.0 servicing edits on).\n\n### Title\n\n```\nDocument Microsoft.Data.Sqlite SQLite3MC breaking change (8.0)\n```\n\n### Description\n\n````\nMirrors dotnet/EntityFramework.Docs#5385 for the EF Core 8.0 breaking-changes page.\n\nDocuments the `Microsoft.Data.Sqlite` switch from `SQLitePCLRaw.bundle_e_sqlite3`\n(2.1.6 on the 8.0 branch) to `SQLite3MC.PCLRaw.bundle`, shipped as an 8.0.x\nservicing update, including the security-update rationale and user-visible\ncompatibility risks. Backports the docs change for dotnet/efcore#38402; part of\ndotnet/efcore#38257.\n\n- **Breaking change entry**\n - Adds a low-impact `Microsoft.Data.Sqlite` breaking change for the new\n `e_sqlite3mc` native bundle.\n - Clarifies that `Microsoft.EntityFrameworkCore.Sqlite` also references\n `SQLite3MC.PCLRaw.bundle` through `Microsoft.Data.Sqlite`.\n - Adds the entry to the page's top-level Summary table.\n\n- **User guidance**\n - Links to SQLite3MC passphrase-based encryption documentation.\n - Documents cases that may require action: direct\n `SQLitePCLRaw.bundle_e_sqlite3` references that conflict with the new\n dependency, native asset / provider name changes (`e_sqlite3` ->\n `e_sqlite3mc`), specific RID coverage gaps, reserved encryption keywords,\n and missing legacy double-quoted string literal support.\n - Provides fallback guidance for apps that need the standard `e_sqlite3`\n build (note the 8.0 opt-out pins 2.1.6, not 3.x.x):\n\n```xml\n\n\n```\n\n - Provides EF Core fallback guidance using\n `Microsoft.EntityFrameworkCore.Sqlite.Core`:\n\n```xml\n\n\n```\n\n**Not mirrored from #5385 (doesn't apply to 8.0):** edits to the\n\"Encryption-enabled SQLite packages have been removed\" and \"Some SQLitePCLRaw\nbundle packages have been removed\" sections \u2014 neither section exists on the 8.0\npage, because 8.0 did not migrate to SQLitePCLRaw 3.0 or remove those packages.\nAccordingly, the \"Why\" text omits the reference to the removed\n`bundle_e_sqlcipher` package, which is still present on 8.0.\n````\n\n### Suggested labels\n\n`area-adonet-sqlite`, `breaking-change`\n", "creation_timestamp": "2026-06-26T21:46:00.931265Z"}