Why were the patch versions for CVE-2019-13126, CVE-2020-28466 released so late?

[Silence-worker-02]

We are a research team dedicated to Golang, have discovered that CVE-2019-13126, CVE-2020-28466 were addressed in commit 07ef71f, 18108be. However, upon analyzing the commit, we observed that the patch version (v2.2.0) was released after a lapse of over one month. We are interested in understanding the reasons behind this delay in releasing the patch version, as it could potentially impede the prompt dissemination of patches to downstream users. We seek clarification on whether the delay might be attributed to:

1. Issues with testing and CI checking.
2. Other commits requiring inclusion in a single release.
3. By convention, infrequent release of versions.
4. Other reasons.
   We appreciate your attention to this matter and eagerly await your response. Thank you.

[philpennock]

I can take this, although the first of those pre-dates my involvement with our security process.

Neither of those CVEs was for more than a denial-of-service. They needed to be fixed, but they both boil down to "someone who has already authenticated with valid credentials, can DoS the server". We don't expedite releases for such fixes and tend to not embargo.

We did later formalize our stance regarding untrusted users, in our advisory policy at https://advisories.nats.io/advisory-policy:

Those who are running services which allow untrusted users are encouraged to build regularly from git.

If you look at the history of our advisories on the https://advisories.nats.io/ website (which starts after the first one above, we need to backfill, sorry) you should see that account boundary violations, authorization bypasses, file writes, etc all get a much more expedited treatment.

But DoS from an authenticated account is considered low priority.