Why were the patch versions for CVE-2023-23314 released so late?
Closed this issue · 1 comments
We are a research team dedicated to Golang, have discovered that CVE-2023-23314 was addressed in commit 42c1060. However, upon analyzing the commit, we observed that the patch version (3.3.0) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
- Issues with testing and CI checking.
- Other commits requiring inclusion in a single release.
- By convention, infrequent release of versions.
- Other reasons.
We appreciate your attention to this matter and eagerly await your response. Thank you.
Thank you for bringing this to our attention. The delay in releasing patch version 3.3.0 was due to extensive testing and CI checks to ensure the fix was stable and did not introduce new issues. Additionally, we aimed to include other important updates in the same release. We understand the importance of timely patch dissemination and will work to improve this process in the future. We appreciate your understanding and support.