We are a research team dedicated to Golang, have discovered that CVE-2019-11576, CVE-2022-0905, CVE-2018-15192, CVE-2021-29134, CVE-2021-3382 were addressed in commit 19ec2606e91610421a3e9cd87c94748ef07ca468, 1314f38b59748397b3429fb9bc9f9d6bac85d2f2, 599ff1c054e436daa4dc3f049aa8661d9c2395f9, f4e677edb1f236cd802f5dd2f0759252c9235bd6, b59ed41e81270660e08a18ade5ad09ecd033f905. However, upon analyzing the commit, we observed that the patch versions (v1.9.0-rc1, v1.18.0-dev, v1.16.0-rc1, v1.15.0-rc1, v1.15.0-dev) were released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
Issues with testing and CI checking.
Other commits requiring inclusion in a single release.
By convention, infrequent release of versions.
Other reasons.
We appreciate your attention to this matter and eagerly await your response. Thank you.
I am also curious about this question. I recently noticed a security announcement in Forgejo (on Mastodon), which was released on November 25. v1.20.5-1 - forgejo/forgejo - Codeberg.org
I read the blog post and understand that Gitea was also affected, and tried to check their process. And although the patches were published shortly after, it looks like it took them three days to adress the issue. Release v1.20.6 · go-gitea/gitea · GitHub was released on November 28.
It’s much shorter, but I cannot see an obvious reason for the delay. And as far as I understand, it was a very critical security issue (allows reading private content and modifying others content, even in private repos it seems).
We are focus on security for many years from Gitea started. I could only say something is not the truth. I think the delay because reporter has a special embargo for us. And before the day embargo is end, they changed the patch and send an email to us. They released before we have time to read the email. After we found the patch changed, we have to check all other possible places have the same security, and we found more problems.
For the response
1 They never followed our security policy.
2 We have replied them and provide the first version patch, and they never mentioned our contirbution for the patch.
Further research from both Gitea and Forgejo teams in the following days revealed more vulnerabilities. Initial fixes and tests verifying they are effective were exchanged
However, I acknowledge this response. You mean the security fixes were released sooner, but on the release branches, and the security team didn’t check the release versions but only compared the time between security fix on the dev branch and when the stable release was made? Thank you for clarifying this.
Yeah, these are not the security releases, but the next stable releases. The security fixes went into Gitea much earlier.