On 15/12/2019 10:16, Yongheng Chen wrote:
When we report the bugs, we said that they were from 3.31 version, but people
in mitre changed them to 3.30.1. We just reported what we found. And the commit
we reported in the bug report is referencing to the official GitHub repo.
Of course the people at Mitre changed the version number, they do not
create a CVE for *unreleased* software.
It has already been pointed out that GitHub is not the official
repository, it is a mirror.
You should be using the Fossil repository to test unreleased versions,
which means you will get the latest version.
Also, reporting bugs here (or to sqlite-dev) would be the polite thing
to do, as it gives the developers a chance to fix things before the
software gets released, rather than causing a CVE to be generated, for a
problem that does not yet exist in the real world.
And it means that I (and others) won't be having to answer email from
customers on Monday (their time) and Tuesday (my time) where they are in
a complete panic because they've discovered[1] that a CVE has been
raised on a component of the products, and, "Oh, no, the sky is falling,
what shall we do, what shall we do?!?!?!"
Cheers,
Gary B-)
1 - Yes, they're smart enough to troll the CVE lists looking for
problems, but not smart enough to evaluate the possible effects of the
problem.
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
