Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The vulnerability CVE-2023-32082 has been fixed, but no specific tag denotes the patched version. #16158

Closed
Silence-worker-02 opened this issue Jun 30, 2023 · 1 comment
Closed

The vulnerability CVE-2023-32082 has been fixed, but no specific tag denotes the patched version. #16158

Silence-worker-02 opened this issue Jun 30, 2023 · 1 comment
Labels
area/security type/question

Comments

@Silence-worker-02
Copy link

What would you like to be added?

Add a tag on fixing commit or its subsequent commits as the patch version.

Why is this needed?

Hello, we are a team researching the dependency management mechanism of Golang. During our analysis, we came across your project and noticed that you have fixed a vulnerability (snyk references, CVE: CVE-2023-32082, CWE: CWE-842, fix commit id: 49b59cc). However, we observed that you have not tagged the fixing commit or its subsequent commits. As a result, users are unable to obtain the patch version through Go tool ‘go list’.

We kindly request your assistance in addressing this issue. Tagging the fixing commit or its subsequent commits will greatly benefit users who rely on your project and are seeking the patched version to address the vulnerability.

We greatly appreciate your attention to this matter and collaboration in resolving it. Thank you for your time and for your valuable contributions to our research.
@jmhbnz
Copy link
Member

jmhbnz commented Jul 1, 2023

Hi @Silence-worker-02 - Thanks for your question.

The commit you linked is for the etcd main branch, which is equivalent to etcd v3.6.0 which is currently purely a development branch with no official releases or release candidates/alphas. To the best of my knowledge this is intentional to ensure that release-3.4 is still supported as a major cloud provider is still using this release.

For the active supported etcd release branches release-3.4 and release-3.5 the fix for this issue has been backported:

Those backports have been included in tagged releases:

We could potentially explore creating alpha or release candidate tags for main however this might create false view that 3.6 release is near which we would want to avoid. I will leave it to maintainers to comment further on that if they wish.

@jmhbnz jmhbnz closed this as completed Jul 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security type/question
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jmhbnz @Silence-worker-02