search

aspnet / Announcements

Subscribe to this repo to be notified about major changes in ASP.NET Core and Entity Framework Core
Other
1.66k stars 80 forks source link

Microsoft Security Advisory 4021279 #250

Open Moritzschmidt opened 7 years ago

Moritzschmidt commented 7 years ago

Hello, My application is an ASP.NET Core 1.0 Web API.

According to the Microsoft Security Advisory 4021279, I wanted to update the direct dependicies of my project.

In theMyClassName.csproj is the following line:

<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.0.3" />

which I change to:

<PackageReference Include="Microsoft.AspNetCore.Mvc" Version="1.0.4" />

because the version 1.0.0, 1.0.1, 1.0.2, 1.0.3 1.1.0, 1.1.1, 1.1.2 of Microsoft.AspNetCore.Mvc are not save to use.

If I then try to run the project, Iam getting the following errormessage:

System.BadImageFormatException: "Could not load file or assembly 'System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'. Reference assemblies should not be loaded for execution. They can only be loaded in the Reflection-only loader context. (Exception from HRESULT: 0x80131058)" Inner Exception: BadImageFormatException: Cannot load a reference assembly for execution.

The post on Git also says 

If after recompilation you see a Dependency conflict warning, you must update your other direct dependencies to the appropriate version.

For example if your project refers to Microsoft.AspNetCore.Routing with a version number of 1.0.1 when you update your Microsoft.AspNetCore.Mvc package to 1.0.4, compilation will throw:

NU1012 Dependency conflict. Microsoft.AspNetCore.Mvc.Core 1.0.4 expected Microsoft.AspNetCore.Routing >= 1.0.4 but received 1.0.1

As you can see Iam not getting this error message. However, I was able to fix the error by updating the package Microsoft.AspNetCore.Routing to 1.0.4.

This should maybe added to the post.

Daniel15 commented 7 years ago

This is not the correct repository for feedback. Please use the discussion thread over here instead: https://github.com/aspnet/Mvc/issues/6246

poke commented 7 years ago

The original announcement does explain this under the After updating your direct dependencies header:

To fix this, edit the version for the expected package to be the version expected by updating your csproj or project.json in the same way that you used to update the vulnerable package versions.

So in this case, since the error mentioned “expected Microsoft.AspNetCore.Routing >= 1.0.4”, you would have to update the package to 1.0.4 or greater.

Also, please do not post issues in this repository. It is solely meant for announcements and not for discussion of said announcements.