You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are a research team dedicated to Golang, have discovered that CVE-2023-1732 was addressed in commit f4c0e87. However, upon analyzing the commit, we observed that the patch version (v1.3.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
Issues with testing and CI checking.
Other commits requiring inclusion in a single release.
By convention, infrequent release of versions.
Other reasons.
We appreciate your attention to this matter and eagerly await your response. Thank you.
The text was updated successfully, but these errors were encountered:
Hi, I wrote a more detailed reply regarding this specific issue in #417 (comment)
It is not a problem with points 1-3. In summary, a theoretical issue was reported that does not affect realistic systems. So despite the scary CVE score, there was no issue that warranted an urgent release. It was included in the next maintenance release.
We are a research team dedicated to Golang, have discovered that CVE-2023-1732 was addressed in commit f4c0e87. However, upon analyzing the commit, we observed that the patch version (v1.3.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
We appreciate your attention to this matter and eagerly await your response. Thank you.
The text was updated successfully, but these errors were encountered: