Closed Silence-worker-02 closed 10 months ago
sudo-bmitch
commented
10 months ago The CVE was fixed in https://github.com/opencontainers/distribution-spec/commit/ac28cac0557bcd3084714ab09f9f2356fe504923 and released 7 days later in https://github.com/opencontainers/distribution-spec/releases/tag/v1.0.1.
sudo-bmitch
commented
10 months ago Sorry, that was the distribution-spec side, for image-spec it was fixed in https://github.com/opencontainers/image-spec/commit/dcdcb7f2cf08641d03189e5b09be32de5dcfe459 and released in https://github.com/opencontainers/image-spec/releases/tag/v1.0.2.
cyphar
commented
10 months ago There are a bunch of these issues being opened against open source projects (some of which contain mistakes), presumably by this script. As such, this almost certainly should be classified as spam.
@Silence-worker-02 if you would like to get information for a research project from the general public you need to provide information about the research project (affiliation, any relevant grant number, information about ethics approval, etc). Anonymously spamming projects with cookie-cutter issues is not a responsible way of doing research.
Closing and locking.
Hello, we are a research team working on Golang. During our investigation, we found CVE-2021-41190 was addressed in commit 693428a734f5bab1a84bd2f990d92ef1111cd60c. However, we noticed that the patch version (v1.1.0-rc1) was released after long time (302 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be
1.Issues with testing and CI checking.
2.Other commits have to be incorporated into one release.
3.By convention, versions are not frequently released.
4.Other reasons.
Thank you for your attention, and we look forward to receiving your reply.