We found the patch versions not appeared in Golang Index.

[Silence-worker-02]

Hello, we are a research team working on Golang. During our investigation, we discovered that the following CVEs - CVE-2020-13846, CVE-2020-13845, CVE-2020-25039 and CVE-2019-11328 - were addressed and the patch versions were released. However, we noticed that these patch versions have not appeared in the Golang Index, which means that 'go list' cannot automatically push the patch versions to downstream users.

We recommend that after releasing the versions, this will enable the automatic distribution of the patch versions to downstream users. Thank you for your attention.

[dtrudg]

Hello,

This project has a complex history due to a fork that took place in 2021. sylabs/singularity now holds the SingularityCE project. The fork, and the first SingularityCE release (v3.8.0), happened after the CVEs that you have listed.

Historic releases are now found on the other side of the fork, in a repository that is now located at https://github.com/apptainer/singularity

Note that the advisories you have linked show that this is the case:

We cannot take any action relating to security issues / advisories that are specific to https://github.com/apptainer/singularity