New release

[oleksandrkorzhenevskyi]

Hi,

Could you tell me, please, if you plan any new releases soon? The latest versions is about one year old, and our code analyzers complain about this raising a high operational risk. So I am just curious now, what are your plans.

[nateprewitt]

Hi @oleksandrkorzhenevskyi,

and our code analyzers complain about this raising a high operational risk.

Could you be more specific with what is being flagged with your code analyzers that you believe is creating an operational risk?

[oleksandrkorzhenevskyi]

Hi @nateprewitt,

I think it just complains that the current version was released 358 days ago, and the activity in the repository is decreasing.

[oleksandrkorzhenevskyi]

The other things that I see in the report:

• https://nvd.nist.gov/vuln/detail/CVE-2015-2296 - is this fixed?
• https://nvd.nist.gov/vuln/detail/CVE-2014-1830 - this mentions the version before 2.3.0, we use the 2.32.3. Therefore I believe this must be fixed long ago, and it's just a false positive in our case. Is that true?

[nateprewitt]

The other things that I see in the report: https://nvd.nist.gov/vuln/detail/CVE-2015-2296 - is this fixed? https://nvd.nist.gov/vuln/detail/CVE-2014-1830 - this mentions the version before 2.3.0, we use the 2.32.3. Therefore I believe this must be fixed long ago, and it's just a false positive in our case. Is that true?

For anyone unfamiliar with how CVEs are issued, it should always be CVE-{Year}-{Sequential Identifier}. We released both of the these CVEs in 2015 and 2014 respectively after they were patched. You can see in both CVEs that the versions that were fixed were 2.6.0 and 2.3.0, along with the patches. I would recommend reaching out to your provider as their scanners appear to be confused.

[nateprewitt]

Resolving now that a new release has been cut and there don't appear to be any additional follow ups. Please let us know if you need any other clarifications.