Closed Silence-worker-02 closed 7 months ago
Hi, I wrote a more detailed reply regarding this specific issue in https://github.com/cloudflare/circl/pull/417#issuecomment-1812682972
It is not a problem with points 1-3. In summary, a theoretical issue was reported that does not affect realistic systems. So despite the scary CVE score, there was no issue that warranted an urgent release. It was included in the next maintenance release.
Thanks @Lekensteyn for the expanded explanation.
@Silence-worker-02 feel free to reach ask-research@cloudflare.com
if there are more questions.
We are a research team dedicated to Golang, have discovered that CVE-2023-1732 was addressed in commit f4c0e87526ec17305e8a573f1c58acedc5539a92. However, upon analyzing the commit, we observed that the patch version (v1.3.3) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to: