Do you plan to patch Version 7 for the CRLF vulnerability ?

[simon-knu]

Hello !

Do you plan to patch version 7 with this vulnerability ? @glennawatson @ChrisPulman
#1834

I need to go in prod soon and I want to avoid a major change before that so I want to know if you plan to patch the version 7 for this vulnerability

Best regards

[glennawatson]

I did a release the other day. I believe that pr is part of that

[glennawatson]

https://github.com/reactiveui/refit/releases/tag/8.0.0

[glennawatson]

We also don't patch old releases. Always just version and move on. So there won't be an another 7 release.

Probably your best move is grab the repo. Go to the last version 7 tag and cherry pick the fix in.

Get your release out.

Then upgrade to 8.

I'd be willing to do a once off for you of a 7.0 release if you can do the work of attempting to do a pull request to a 7.x branch.

[simon-knu]

Oh ok, I understand, thank you for the quick response !

I tried to do the job you describe here : #1923 but since I can't create a branch based on the tag 7.2.1 in this repo, I don't think it's possible

[simon-knu]

thank you !!!

[simon-knu]

For info @glennawatson, the quick fix didn't help :/. The 7.2.22 is tagged as containing a vulnerability, I will try to update to 8.0 and test to see if things break

Thank you for the try tho

[glennawatson]

Yeah the cve has flagged any release 7.x. But the vulnerability is fixed.

[ChrisPulman]

I can see if I can update the CVE

[glennawatson]

I've pushed an update to that database so hopefully that vulnerability marker will be removed.

[ChrisPulman]

The major version bump was mostly due to the CVE, there was a few alterations made to the API too but shouldn't be a big issue for updates, bug fixes lead to the changes, so the results may differ slightly depending upon your use case.

[simon-knu]

thank you for your quick reactions guys !