Closed lubo closed 3 weeks ago
I try to release a new version when there is a bunch of new stuff.
If you need it urgently I can release 1.19.0
.
Ideally, security updates should be released ASAP, because the urgency may differ among the users and even understanding the urgency may be a challenging task for both the users and the maintainers. It's also a good practice to release security updates as patch releases, containing only the security fixes, so that the users have an easy way to patch the vulnerability without worrying about breaking unrelated stuff.
So, my recommendation is to release 1.18.1, which will contain only the security fixes. I see multiple commits fixing different stack overflows since 1.18.0, so maybe all of them should be included in the new release?
Yes that should be released in a new 1.19.0
.
I can of course cherrypick the commits that fix the overflow bugs but it has been a while since the latest release and a new one is due anyway.
I'll get one out soonish.
I see 1.19.0 has been released.
CVE-2024-36760 was published two weeks ago and a new version that fixes this vulnerability has not been released. Moreover, I don't see any milestone or project that'd give us an idea when it's gonna be released.