When we report the bugs, we said that they were from 3.31 version, but people in mitre changed them to 3.30.1. We just reported what we found. And the commit we reported in the bug report is referencing to the official GitHub repo.
Bugs are found in the latest version, because there are so many bugs in the release version that are already been fixed in the development code. So there’s no point finding bugs in release version, as we have to verify whether the latest code still has such bug anyway. Some bugs we found can reproduced in the release version, with slight change in the test case, but when we asked the developer to confirm them again. We didn’t get reply as they had been fixed in the developing version after we reported them. > On Dec 14, 2019, at 5:41 PM, Richard Hipp <d...@sqlite.org> wrote: > > On 12/14/19, Raitses, Alex <alex.rait...@intel.com> wrote: >> Hello, >> CVE-2019-19317 (https://nvd.nist.gov/vuln/detail/CVE-2019-19317) was >> submitted on SQLite. >> As far as I can see the patch is already submitted. Can you confirm please? >> Do you have estimation for the fixed version release? > > > This CVE appears to reference a bug in an unreleased development > version of SQLite only. The bug has never appeared in any official > release version of SQLite, as far as I can tell. So there is nothing > to fix. > > The CVE is from a third-party, not one of the SQLite developers. > There was no coordination between the CVE authors and the SQLite > developers. > > SQLite is open-source. Anybody can download our latest development > code and run fuzzers or other tests against it. Sometimes those > people find issues in unreleased code and write CVEs against them, > even though the problem has never appeared in any release. > > One clue that this is a third-party CVE that does not have the > endorsement of the SQLite developers is that it references a GitHub > mirror of the source-code repository, rather than the official Fossil > source-code repository. The developers would never do that. > > -- > D. Richard Hipp > d...@sqlite.org > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users