binaryen icon indicating copy to clipboard operation
binaryen copied to clipboard
verified publisher icon WebAssembly

Missing changelog entries for 104

Open rathann opened this issue 3 years ago • 3 comments

The changelog section for 104 contains just one entry while the list of commits is much longer. Would it be possible to list the high-level changes and mention the fix for CVE-2021-45290 and CVE-2021-45293? Please have the Github security advisories updated as well. They're showing both affected and patched versions as "Unknown".

rathann avatar Jan 12 '22 09:01 rathann

I'm curious to hear more about the importance of those CVEs, in your opinion. My perspective is that they are just minor miscellaneous bugs, because Binaryen is not used in a place where a DoS attack is of concern. (It's also not used in a security-sensitive place where an exploit would be worrying, like a browser or an OS kernel.) But maybe I'm wrong?

Regardless, a PR with additional details would definitely be welcome.

kripken avatar Jan 12 '22 19:01 kripken

You are not wrong, I guess. I asked only for completeness sake, because I got bug reports opened downstream, against binaryen package in Fedora and EPEL and I haven't found an upstream changelog when releasing an update.

rathann avatar Jan 15 '22 00:01 rathann

I see. Well, perhaps we should get more into the habit updating the changelog as we land things. I think that's probably a good idea in general.

kripken avatar Jan 19 '22 16:01 kripken