Required fix for CVE-2022-3509 & CVE-2022-3510 in 2.x.x series

[iliyaj-loginsoft]

Hi @zhangskz

Do we have a fix for the GHSA-g5ww-5jh7-63cx vulnerability in the 2.x.x series? If not, could you please let me know where this vulnerability is triggered in the 2.x.x version, and in which file?

[zhangskz]

Unfortunately the 2.x series is extremely old and does not contain the fix. See https://protobuf.dev/support/version-support for our support windows / policies. We strongly recommend updating to a recent in-support version of protobuf (which would also contain a fix)

You can see the security advisory description and fix commits: e.g. https://github.com/protocolbuffers/protobuf/releases/tag/v21.7.