Why were the patch versions for CVE-2019-11576, CVE-2022-0905, CVE-2018-15192, CVE-2021-29134, CVE-2021-3382 released so late?

General

Silence-worker-02 November 15, 2023, 12:57pm 1

We are a research team dedicated to Golang, have discovered that CVE-2019-11576, CVE-2022-0905, CVE-2018-15192, CVE-2021-29134, CVE-2021-3382 were addressed in commit 19ec2606e91610421a3e9cd87c94748ef07ca468, 1314f38b59748397b3429fb9bc9f9d6bac85d2f2, 599ff1c054e436daa4dc3f049aa8661d9c2395f9, f4e677edb1f236cd802f5dd2f0759252c9235bd6, b59ed41e81270660e08a18ade5ad09ecd033f905. However, upon analyzing the commit, we observed that the patch versions (v1.9.0-rc1, v1.18.0-dev, v1.16.0-rc1, v1.15.0-rc1, v1.15.0-dev) were released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

1. Issues with testing and CI checking.
2. Other commits requiring inclusion in a single release.
3. By convention, infrequent release of versions.
4. Other reasons.
   We appreciate your attention to this matter and eagerly await your response. Thank you.

jake November 18, 2023, 5:22pm 2

At least for CVE-2021-3382, it was patched on Jan 18 (Use path not filepath in routers/editor by zeripath · Pull Request #14390 · go-gitea/gitea · GitHub) on the main development branch. On Jan 19, it was backported to the v1.13 release branch (Use path not filepath in routers/editor (#14390) by 6543 · Pull Request #14396 · go-gitea/gitea · GitHub) and released 12 days later with v1.13.2. I did not look into the others.