Why were the patch versions for CVE-2021-28955 released so late? #1137
Unanswered
Silence-worker-02
asked this question in
Q&A
Replies: 2 comments
-
The README for this project mentions that the maintainer is finding it to be a lot of work to maintain the project and asking for help with project maintenance. I would guess that is the reason. |
Beta Was this translation helpful? Give feedback.
0 replies
-
I was informed of that issue March 20, 2021 by email. I released a fixed version (https://github.com/MichaelMure/git-bug/releases/tag/v0.7.2) and filled a security advisory on Github the next day. So the answer is is "4. It wasn't late". |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We are a research team dedicated to Golang, have discovered that CVE-2021-28955 was addressed in commit 01b9490. However, upon analyzing the commit, we observed that the patch version (v0.8.0) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
We appreciate your attention to this matter and eagerly await your response. Thank you.
Beta Was this translation helpful? Give feedback.
All reactions