Why were the patch versions for CVE-2022-40931 released so late? #56

New Issue

Closed

opened 2026-01-19 18:28:47 +00:00 by michael · 1 comment

michael commented 2026-01-19 18:28:47 +00:00

Owner

Copy Link

Originally created by @Silence-worker-02 on GitHub.

Hello, we are a research team working on Golang. During our investigation, we found CVE-2022-40931 was addressed in commit 31ad4e01e1. However, we noticed that the patch version (v1.5.0) was released after long time (202 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be

1.Issues with testing and CI checking.

2.Other commits have to be incorporated into one release.

3.By convention, versions are not frequently released.

4.Other reasons.

Thank you for your attention, and we look forward to receiving your reply.

Originally created by @Silence-worker-02 on GitHub. Hello, we are a research team working on Golang. During our investigation, we found CVE-2022-40931 was addressed in commit 31ad4e01e158497519f8680c187e1ceb8594c59d. However, we noticed that the patch version (v1.5.0) was released after long time (202 days). We are curious about the reasons behind the delayed release of the patch version, as it may hinder the efficient distribution of patches to downstream users. Could the reason be 1.Issues with testing and CI checking. 2.Other commits have to be incorporated into one release. 3.By convention, versions are not frequently released. 4.Other reasons. Thank you for your attention, and we look forward to receiving your reply.

michael closed this issue 2026-01-19 18:28:47 +00:00

michael commented 2026-01-19 18:28:47 +00:00

Author

Owner

Copy Link

@paolafrancesca commented on GitHub:

Hello,

according to the personal time available to the mantainers during a specific time frrame, versions are not frequently released.

We'll keep an eye to release a new patch version as soon as we'll be aware and fixed to be affected by another security issue

@paolafrancesca commented on GitHub: Hello, according to the personal time available to the mantainers during a specific time frrame, versions are not frequently released. We'll keep an eye to release a new patch version as soon as we'll be aware and fixed to be affected by another security issue

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/golang.org/x/net-0.38.0

revert-646-main

dependabot/go_modules/golang.org/x/oauth2-0.27.0

check-ci-20241026

aspacca-patch-1

seed-rand

fix-basic-auth

fix-header-map-change-after-writeheader-call

issue-503

issue-487

gpg-encryption-support

lint-accept-range

bump-min-go-version-and-include-tip

accept-range

local-google-fonts

parallel-range-requests

issue-485

sb/storj-bump

fix-perform-clamav-prescan

revert-389-clamav-prescan

clamav-prescan

changes-in-front-end

ISSUE-440

revert-422-main

master

golint

ISSUE-398

multiple-fixes

ISSUE-382-take2

ISSUE-382

fix-workflows

fixes-20210521

ISSUE-371

ISSUE-38-WEB

ISSUE-313

ISSUE-296

fuzz

BINARY-RELEASES

ISSUE-256

v1.6.1

v1.6.0

v1.5.0

v1.4.0

v1.3.1

v1.3.0

v1.2.6

v1.2.4

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1.7

v1.1.6

v1.1.5

v1.1.4

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.0

Labels

Clear labels

bug

docker

enhancement

hacktoberfest

help wanted

invalid

question

storage provider

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

michael

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dutchcoders/transfer.sh#56