Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Why were the patch versions for CVE-2021-4235 released so late? #1002

Open
Silence-worker-02 opened this issue Nov 15, 2023 · 1 comment
Open

Comments

@Silence-worker-02
Copy link

We are a research team dedicated to Golang, have discovered that CVE-2021-4235 was addressed in commit caeefd8. However, upon analyzing the commit, we observed that the patch version (v2.2.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

  1. Issues with testing and CI checking.
  2. Other commits requiring inclusion in a single release.
  3. By convention, infrequent release of versions.
  4. Other reasons.
    We appreciate your attention to this matter and eagerly await your response. Thank you.
@bep
Copy link

bep commented Mar 20, 2024

@Silence-worker-02 I'm not a maintainer of this repo, but I'm surprised that your list of potential causes doesn't include the obvious: Most open source library projects are under-funded and run by individuals on their spare time. These individuals have their own set of priorities that may not align with the security researchers (e.g. the CVE in question is not critical if you only use YAML as a internal only facing config format).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants