SQLite Forum

When next release after 3.31.1?
Login

When next release after 3.31.1?

(1) By anonymous on 2020-04-17 18:36:16 [link] [source]

Sorry if this has been asked already; I couldn't find it in the forum.

When is the next release planned after 3.31.1?

My company needs an official release that incorporates the already-fixed recent CVE issues.

Thanks!

(2) By Stephan Beal (stephan) on 2020-04-17 19:18:42 in reply to 1 [link] [source]

The sqlite developers do not track CVEs. See /forumpost/247d4d7888 for details.

(3) By Warren Young (wyoung) on 2020-04-17 19:39:39 in reply to 1 [link] [source]

When is the next release planned after 3.31.1?

Feature (.0) releases generally come out every three months, so we should be close to the next one.

My company needs

If only there was a way for a corporate entity to express its needs to the maintainers in a concrete way... :)

an official release

Why?

I get the point of stability, but what's wrong with backporting the specific commits in the meantime? Fossil makes it easy:


cd ~/src/sqlite/trunk          # location of Fossil checkout of SQLite3 repo
fossil merge --cherrypick d09f8c36
fossil merge --cherrypick abc473fb
fossil merge --cherrypick 4a302b42c7
make -j11 && make test

These checkin IDs come from this post.

All three of these require specially-crafted SQL to exploit. If your company's product is accepting arbitrary SQL, why?

(4) By Richard Hipp (drh) on 2020-04-17 20:13:15 in reply to 2 [source]

See also https://www.sqlite.org/src/info/8b12e95fec7ce6e0de82a for another example of why we have such a low opinion of CVEs.