search

aws / aws-ssm-data-protection-provider-for-aspnet

An extension library to assist with ASP.NET data protection in AWS Lambda.
Apache License 2.0
57 stars 21 forks source link

Upgrade Microsoft.AspNetCore.DataProtection.Extensions version to resolve pulling in packages with CVEs #54

Closed roemba closed 1 year ago

roemba commented 1 year ago

Describe the feature

The current version of Microsoft.AspNetCore.DataProtection.Extensions is 3.1.28. I would like to request upgrading this to the latest 6.0.* version.

Use Case

The current version of Microsoft.AspNetCore.DataProtection.Extensions is 3.1.28 :

<PackageReference Include="Microsoft.AspNetCore.DataProtection.Extensions" Version="3.1.28" />

Version 3.1.28 has a dependency on System.Security.Cryptography.Xml version 4.7.1 that has a dependency on System.Security.Permissions 4.7.0 that again has a dependency on System.Drawing.Common 4.7.0 that has CVE-2021-24112 , see https://avd.aquasec.com/nvd/2021/cve-2021-24112/

.NET Core 3.1 has reached EOL on 13-12-2022 so I suggest upgrading Microsoft.AspNetCore.DataProtection.Extensions to 6.0.* to resolve any old dependency problems.

Proposed Solution

No response

Other Information

No response

Acknowledgements

AWS .NET SDK and/or Package version used

Amazon.AspNetCore.DataProtection.SSM version 3.1.0

Targeted .NET Platform

.Net Core 6

Operating System and version

Ubuntu

ashishdhingra commented 1 year ago

Needs review with the team.

@roemba Feel free to contribute PR as you suggested which could be reviewed by the team.

normj commented 1 year ago

I created PR to address the issue. I know .NET Core 3.1 is EOL but we still have quite a few users still using it so were not ready to remove support yet from this library. The PR will address your issue though.

https://github.com/aws/aws-ssm-data-protection-provider-for-aspnet/pull/55

normj commented 1 year ago

Version 3.1.1 has been released with the fix on the dependency. Thanks for letting us know the issue.

github-actions[bot] commented 1 year ago

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.