sqlite3 cve flagged to wrong version

dkaparis · Aug 2, 2025

pkg-audit gives me for `sqlite3-3.46.1_1,1`:

vulnxml file up-to-date
sqlite3-3.46.1_1,1 is vulnerable:
sqlite -- Integer Truncation on SQLite
CVE: CVE-2025-6965
WWW: https://vuxml.freebsd.org/freebsd/0f5bcba2-67fb-11f0-9ee5-b42e991fc52e.html

But consulting https://vuxml.freebsd.org/freebsd/0f5bcba2-67fb-11f0-9ee5-b42e991fc52e.html, I see under `affected packages`:

3.39.2,1

<=

sqlite3

<

3.41.2,1

If I read that correctly, 3.46.1 is outside that range. Any ideas?

SirDice · Aug 2, 2025

pkg audit -F

The URL points to versions below 3.50.2,1:

Code:

 		sqlite3 	< 	3.50.2,1
		linux-c7-sqlite 	< 	3.50.2
0 	<= 	linux_base-rl9

It probably got registered incorrectly, but has since been fixed on VuXML.

sqlite3 cve flagged to wrong version

dkaparis

SirDice

Administrator