rhai icon indicating copy to clipboard operation
rhai copied to clipboard
verified publisher icon rhaiscript

Fix for CVE-2024-36760 has not been released yet

Open lubo opened this issue 1 year ago • 3 comments

CVE-2024-36760 was published two weeks ago and a new version that fixes this vulnerability has not been released. Moreover, I don't see any milestone or project that'd give us an idea when it's gonna be released.

lubo avatar Jun 28 '24 10:06 lubo

I try to release a new version when there is a bunch of new stuff.

If you need it urgently I can release 1.19.0.

schungx avatar Jun 28 '24 12:06 schungx

Ideally, security updates should be released ASAP, because the urgency may differ among the users and even understanding the urgency may be a challenging task for both the users and the maintainers. It's also a good practice to release security updates as patch releases, containing only the security fixes, so that the users have an easy way to patch the vulnerability without worrying about breaking unrelated stuff.

So, my recommendation is to release 1.18.1, which will contain only the security fixes. I see multiple commits fixing different stack overflows since 1.18.0, so maybe all of them should be included in the new release?

lubo avatar Jun 28 '24 14:06 lubo

Yes that should be released in a new 1.19.0.

I can of course cherrypick the commits that fix the overflow bugs but it has been a while since the latest release and a new one is due anyway.

I'll get one out soonish.

schungx avatar Jun 29 '24 02:06 schungx

I see 1.19.0 has been released.

lubo avatar Jul 02 '24 09:07 lubo