search

Sustainsys / Saml2

Saml2 Authentication services for ASP.NET
Other
940 stars 606 forks source link

Vulnerable dependency System.Security.Cryptography.Xml #1429

Closed ladeak closed 5 months ago

ladeak commented 5 months ago

Summary

In version 2.9.2 the library depends on System.Security.Cryptography.Xml version >=4.5 which has a moderate security vulnerability.

Details

https://www.nuget.org/packages/System.Security.Cryptography.Xml/4.5.0

I understand application could take on this dependency directly and update it to more recent and non-vulnerable version. Is it safe to do so (ie. reflection could break the Sustainsys.Saml2 library)?

If it is safe, would it make sense to bump the version of this dependency directly here in the Sustainsys.Saml2 library?

AndersAbel commented 5 months ago

It should be safe to make your application update to a supported non-vulnerable version. If you would find any issues with that, please open a new issue here on the bug tracker.

When dependencies have security issues, there is no way to keep up with that and creating new releases for this library just to up the dependency. For any future releases it would make sense to update the reference to the lowest supported non-vulnerable version.

ladeak commented 5 months ago

Thank you for the response and details. I was considering to open a PR with the update but I realized bumping the version would be the least part of the work for a release. I believe though the Microsoft.* dependencies also have transient dependencies with vulnerability. Closing the issue for now.