When next release after 3.31.1?

(1) By anonymous on 2020-04-17 18:36:16 [link]

Sorry if this has been asked already; I couldn't find it in the forum.

When is the next release planned after 3.31.1?

My company needs an official release that incorporates the already-fixed recent CVE issues.

Thanks!

(2) By Stephan Beal (stephan) on 2020-04-17 19:18:42 in reply to 1

The sqlite developers do not track CVEs. See [](/forumpost/247d4d7888) for details.

(3) By Warren Young (wyoung) on 2020-04-17 19:39:39 in reply to 1 [link]

> When is the next release planned after 3.31.1?

Feature (.0) releases generally come out every three months, so we should be close to the next one.

> My company needs

If only [there was a way][1] for a corporate entity to express its needs to the maintainers in a concrete way... :)

> an official release

Why?

I get the point of stability, but what's wrong with backporting the specific commits in the meantime? Fossil makes it easy:

----

```shell
cd ~/src/sqlite/trunk          # location of Fossil checkout of SQLite3 repo
fossil merge --cherrypick d09f8c36
fossil merge --cherrypick abc473fb
fossil merge --cherrypick 4a302b42c7
make -j11 && make test
```

----

These checkin IDs come from [this post][2].

All three of these require specially-crafted SQL to exploit. If your company's product is accepting arbitrary SQL, why?

[1]: https://sqlite.org/prosupport.html
[2]: https://sqlite.org/forum/forumpost/6c512820c26a

(4) By Richard Hipp (drh) on 2020-04-17 20:13:15 in reply to 2 [link]

See also <https://www.sqlite.org/src/info/8b12e95fec7ce6e0de82a> for another
example of why we have such a low opinion of CVEs.