CVE-2019-11250 for Go has inaccurate fix versions
Hi, https://gitlab.com/gitlab-org/advisories-community/-/blob/main/go/k8s.io/client-go/CVE-2019-11250.yml lists fix versions as:
affected_range: "<1.15.4||=1.16.0"
fixed_versions:
- "1.15.4"
- "1.16.1-beta.0"
However client-go
follows a non-standard versioning system:
We recommend using the v0.x.y tags for Kubernetes releases >= v1.17.0 and kubernetes-1.x.y tags for Kubernetes releases < v1.17.0.
https://github.com/kubernetes/client-go/tree/kubernetes-1.21.1#client-go
That is, 0.20.1 is actually greater than 1.15.4. I'm not sure how best to update this?