search

DuendeSoftware / Support

Support for Duende Software products
20 stars 0 forks source link

IdentityServer 6.3.x security vulnerabilities #1266

Closed LionelBergen closed 2 months ago

LionelBergen commented 3 months ago

Which version of Duende IdentityServer are you using? 6.3.8

Which version of .NET are you using? 6

Describe the bug

Security Vulnerabilities show up when running dotnet list package --vulnerable --include-transitive, for 2 dependencies

To Reproduce

Run dotnet list package --vulnerable --include-transitive inside src/IdentityServer

Expected behavior

No vulnerabilities

Additional context

6.3.x is listed as maintained as long as .NET 6.0 is (until November 12, 2024)

josephdecock commented 3 months ago

We're going to release considering releasing a maintenance patch that updates these 2 dependencies with vulnerabilities. In the meantime, you should be able to upgrade the impacted packages explicitly.

RolandGuijt commented 2 months ago

Please continue to track this with the issue shown above in the IdentityServer issue tracker. I'm closing this one.