On 12/14/19, Raitses, Alex <alex.rait...@intel.com> wrote: > Hello, > CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was > submitted on SQLite. > As far as I can see the patch is already submitted. Can you confirm please? > Do you have estimation for the fixed version release?
This CVE appears to reference a bug in an unreleased development version of SQLite only. The bug has never appeared in any official release version of SQLite, as far as I can tell. So there is nothing to fix. The CVE is from a third-party, not one of the SQLite developers. There was no coordination between the CVE authors and the SQLite developers. SQLite is open-source. Anybody can download our latest development code and run fuzzers or other tests against it. Sometimes those people find issues in unreleased code and write CVEs against them, even though the problem has never appeared in any release. One clue that this is a third-party CVE that does not have the endorsement of the SQLite developers is that it references a GitHub mirror of the source-code repository, rather than the official Fossil source-code repository. The developers would never do that. -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users