Re: [sqlite] CVE's opened on 3.30.1 status
Thanks a lot for the prompt response, As far as I found in Fossil repository fixes for all CVE's , excepting erroneously submitted CVE-2019-19646, were merged to Fossil. Can you please estimate next official release of SQLite including these fixes? Regards, Alex -Original Message- From: drhsql...@gmail.com On Behalf Of Richard Hipp Sent: Tuesday, December 24, 2019 6:31 PM To: SQLite mailing list Cc: Raitses, Alex Subject: Re: [sqlite] CVE's opened on 3.30.1 status On 12/24/19, Raitses, Alex wrote: > Hi, > Can you please update on status of the following CVE’s submitted on 3.30.1? > CVE’s link to patches references GitHub branch, however I could find > corresponding submits to Fossil repository. > CVE’s list: > https://nvd.nist.gov/vuln/detail/CVE-2019-19244 > https://nvd.nist.gov/vuln/detail/CVE-2019-19603 > https://nvd.nist.gov/vuln/detail/CVE-2019-19242 > https://nvd.nist.gov/vuln/detail/CVE-2019-19646 > https://nvd.nist.gov/vuln/detail/CVE-2019-19645 None of these CVEs describe actual vulnerabilities, at least not for the typical use-case for SQLite. If you have an unusual application in which you allow unauthenticated users to submit arbitrary SQL to your application, then four of these CVEs describe a denial-of-service opportunity to an attacker. In other words, an attacker who can present arbitrary SQL queries (and DDL statements) to the application can cause the application to crash. Not many applications fall into that category, though. The only application that I know of that does this is the Chrome web-browser. How does your application use SQLite? Do you allow anonymous attackers to present arbitrary SQL to your application? If not, then none of this applies to you. The CVE-2019-19646 describes a bug in a new feature of SQLite that has not yet been released. CVE-2019-19646 was apparently submitted in error. Unfortunately, we do not know of any mechanism to correct erroneous CVEs. Do you? All of the problems described by the CVEs you list have been fixed. In fact, most of the CVEs you list point to the check-in that fixes the problem, in a GitHub mirror of the SQLite repository. The SQLite developers do not issue or track CVEs. CVEs against SQLite are issued by third-parties, typically third-parties who are running fuzzers against the SQLite, and usually without the consultation or approval of the SQLite developers. -- D. Richard Hipp d...@sqlite.org - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] CVE's opened on 3.30.1 status
Hi, Can you please update on status of the following CVE’s submitted on 3.30.1? CVE’s link to patches references GitHub branch, however I could find corresponding submits to Fossil repository. CVE’s list: https://nvd.nist.gov/vuln/detail/CVE-2019-19244 https://nvd.nist.gov/vuln/detail/CVE-2019-19603 https://nvd.nist.gov/vuln/detail/CVE-2019-19242 https://nvd.nist.gov/vuln/detail/CVE-2019-19646 https://nvd.nist.gov/vuln/detail/CVE-2019-19645 Regards, Alex - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] CVE-2019-19317
Hello, CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was submitted on SQLite. As far as I can see the patch is already submitted. Can you confirm please? Do you have estimation for the fixed version release? Thanks in advance, Regards, Alex - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] Klocwork static analysis report
Hello, Please find attached Klocwork static analysis report for “C source code as an amalgamation”, version 3.30.1 (sqlite3.c). Can you please review the report attached and update which bugs can be fixed. Regards, Alex - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite version 3.30.0 in about two weeks.
Hello, I have noticed that security CVE (https://nvd.nist.gov/vuln/detail/CVE-2019-16168) has been submitted on SQLite. As far as I can see the patch was submitted to the trunk. Will CVE patch be included in the 3.30.0? Regards, Alex -Original Message- From: sqlite-users On Behalf Of Richard Hipp Sent: Thursday, September 26, 2019 9:26 PM To: General Discussion of SQLite Database ; sqlite-dev Subject: [sqlite] SQLite version 3.30.0 in about two weeks. Our plan is to release SQLite version 3.30.0 in about two weeks - on or about 2019-10-10. Please review the change log https://www.sqlite.org/draft/releaselog/3_30_0.html And perhaps download, build, and test the latest snapshot. Please let us know if you encounter any problems or concerns. -- D. Richard Hipp d...@sqlite.org ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users - Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ___ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users