Hi,
I recently confirmed that there was a security issue (memory leak) in the patch commit for CVE-2021-32762 provided in the public vulnerability database (e.g., NVD). Of course, the Redis team immediately confirmed this and applied a supplementary patch to confirm that the problem was resolved.
- Original patch commit: 0215324a66af949be39b34be2d55143232c1cb71
- Supplementary patch commit: 922ef86a3b1c15292e1f35338a0ac137a08a11b4
In this case, shouldn't the patch commit in the reference for CVE-2021-32762 be updated? (to include supplemental patches) Currently, the NVD page contains only the commit 0215324a66af949be39b34be2d55143232c1cb71.
Instead, should the supplementary patch also be registered as a new CVE since it resolves the security issue caused by the incomplete patch of CVE-2021-32762? There are many cases in which a commit resolving the incomplete patch of a CVE is registered as a new CVE (e.g., CVE-2021-45884, CVE-2022-25352, etc.)
Thank you.