Contribution to "Link Following in Iris"

[kataras]

Updates

• Affected products
• Description

[darakian]

I see you calling out alpha5 in the description text and alpha9 in the fix version. Do you mean one or the other for both and do you have a fix commit?

[taladrane]

@kataras following up on our above question - is the fixed version v12.2.0-alpha5 or v12.2.0-alpha9? Can you provide a reference (like a fix commit) to support this?

[jbmagination]

It looks like kataras made this commit (and this contribution). Looking at the commit in references, the fixed version looks to be v12.2.0-alpha9. It is strange though that it says that it's before v12.2.0-alpha5.

[kataras]

Hello @darakian, @taladrane , @jbmagination the lnik to the fix is already there. The fix was done at 23 Dec 2021 and it applies all versions after 12.2.0-alpha5. I did correct the description as you correctly mentioned. Thank you a lot

[darakian]

@kataras Wait, versions after alpha5 are good? Your commit 8111796 is showing alpha8.

[kataras]

Yes @darakian, the only one next version which is reachable after alpha5 is indeed the alpha8 :)

UPDATE: Added "patched version" v12.2.0-alpha8 and grammar fix.

[darakian]

@kataras I see 6, and 7 via pkg.go.dev

[kataras]

@darakian probably a pkg cache thing. These tags were removed excplictly by me back then. Anyway, this doesn't matter. The patched version is tagged as v12.2.0-alpha8 on this commit. Would you like for me to replace the affected versions <=v12.2.0-alpha5 to <= v12.2.0-alpha7 (but alpha7 is not available from github tags, it would be strange)?

[jbmagination]

@kataras Wouldn't it be alpha6?

[kataras]

Maybe but sorry for asking, is there a reason why this PR is still not merged? If so, please write down a todo list so I can fix the issues. Thanks in advance!

[darakian]

@kataras it's not merged yet, because I'm trying to determine the correct fix version. If alpha 6 contained the commit then I would like to set that as the fix version. If you'd rather alpha 8 be the fix version then can I ask that you get 6 and 7 removed from pkg.go.dev?

[kataras]

Hello @darakian,

Nobody can directly remove any versions from pkg.go.dev, this is not under our control (as project managers and maintainers). And indeed, they were not removed because they (maintainers of pkg.go.dev) probably using a cache for tagged versions, see:

The bug existed on alpha6 and alpha7 too. The bug was resolved at alpha8, which is the next version after alpha5 based on GitHub tags:

I agree to mark the bug solved/fixed as >=v12.2.0-alpha8 that's why I am trying to add this contribution to this advisory-database project.

[darakian]

Nobody can directly remove any versions from pkg.go.dev, this is not under our control

Interesting. I was under the impression that the go proxy deferred to the backing VCS for all content.

I agree to mark the bug solved/fixed as >=v12.2.0-alpha8

Fair enough. Sorry for the back and forth, I just wanted to make sure we were being as accurate as possible.
Given some quirks in how we do ranges I've set <= 12.2.0-alpha7 as vulnerable with 12.2.0-alpha8. As the fix version.

[advisory-database]

Hi @kataras! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[kataras]

No worries @darakian, have a nice weekend! And thank you for your effort