Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple Patched Versions Allowed? #4771

Closed
oleibman opened this issue Sep 8, 2024 · 2 comments
Closed

Multiple Patched Versions Allowed? #4771

oleibman opened this issue Sep 8, 2024 · 2 comments

Comments

@oleibman
Copy link

oleibman commented Sep 8, 2024
edited
Loading

Still struggling with back-porting some security fixes. I have version 2.0.0, 2.1.0, 2.2.0, 2.2.1 (patched) and 2.2.2 (patched). My security advisory currently states affected version is >= 2.0.0, < 2.2.1 and patch version specifies 2.2.1. However, some (not all) users of 2.1.0 cannot yet meet the prerequisites to migrate to 2.2.1. So I am planning to create a version 2.1.1. I could split this up into multiple conditions on the Security Advisory, but I am not sure what to specify. Can I specify affected version as >= 2.0.0, < 2.1.1 with a patched version of 2.1.1, 2.2.1, and then another condition with affected version 2.2.0 with a patched version 2.2.1?
@oleibman oleibman changed the title Multiple Patched Versions Allowed Multiple Patched Versions Allowed? Sep 8, 2024
@shelbyc
Copy link
Contributor

shelbyc commented Sep 17, 2024

Hi @oleibman, it is possible for an advisory to have more than one patched version as long as there is at least one vulnerable version separating the patched versions. In the example you describe, it is possible to have two vulnerable version ranges, >= 2.0.0, < 2.1.1 and >= 2.2.0, < 2.2.1 (with = 2.2.0 also being acceptable if 2.2.0 is the only vulnerable version on the 2.2 branch), and two patched versions, 2.1.1 and 2.2.1. As you correctly noted, if there are two adjacent patched versions with no vulnerable versions between them, such as 2.2.1 and 2.2.2, the lower/older of the two patched versions would be listed as the patched version.

Hope this information helps! 🙂 If and when you release a patch in 2.1.1, you are welcome to tell us to add it to the advisory by making a PR at https://github.com/github/advisory-database/pulls.

@shelbyc shelbyc closed this as completed Sep 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@shelbyc @oleibman and others