Why were the patch versions for CVE-2021-32163 released so late?

[Silence-worker-02]

We are a research team dedicated to Golang, have discovered that CVE-2021-32163 was addressed in commit b3b875c7c0436a7f30d2498138e782ad6d450724. However, upon analyzing the commit, we observed that the patch version (v0.23.0) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

1. Issues with testing and CI checking.
2. Other commits requiring inclusion in a single release.
3. By convention, infrequent release of versions.
4. Other reasons. We appreciate your attention to this matter and eagerly await your response. Thank you.

[spacewander]

The RFC defines that Path is case-sensitive. So if people want to match URL Path in a case-sensitive way, they need to configure it explicitly themselves.

Despite the scary CVE score, CVE-2021-32163 only affects upstream which treats Path case-sensitively. This behavior disobeys the RFC and very little upstream will behave like that. Therefore, there was no rush to kick off an urgent release. Anyway, the bugfix was included in the next maintenance release.