Why were the patch versions for CVE-2022-27652 and CVE-2022-0532 released so late? #7482
Unanswered
Silence-worker-02
asked this question in
Q&A
Replies: 1 comment
-
this has part to do with CRI-O release cadance. Since we follow the kubernetes project, we don't release minor versions (1.y.0) until after kube does. For #5610 it was released in a minor version in 1.24.0. but the patch was brought back to 1.23.1 quickly. Users wouldn't be expected to use 1.24.0 until kube cut it, so it shouldn't have effected anyone. For GHSA-4hj2-r2pm-3hc6, the risk wasn't deemed worth backporting, so we waited for the minor release |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We are a research team dedicated to Golang, have discovered that CVE-2022-27652 and CVE-2022-0532 were addressed in commit 32d6828 and 9ad033b. However, upon analyzing the commit, we observed that the patch versions (v1.24.0) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:
We appreciate your attention to this matter and eagerly await your response. Thank you.
Beta Was this translation helpful? Give feedback.
All reactions