Security vulnerability in .NET 8.0.0

dotnet / orleans

Cloud Native application framework for .NET

https://docs.microsoft.com/dotnet/orleans

MIT License

10.06k stars 2.03k forks source link

Security vulnerability in .NET 8.0.0 #8832

Closed ajaind86 closed 7 months ago

ajaind86 commented 8 months ago

All of Orleans nuget packages are based on .NET 8.0.0. A security vulnerability that existed in .NET 8.0.0 has been fixed in .NET 8.0.1 (linked below). Please update Orleans packages be use the new version as Black Duck scans running in our project are flagging .NET 8.0.0 as a security risk.

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056 https://www.cve.org/CVERecord?id=CVE-2024-0056

ajaind86 commented 8 months ago

@ReubenBond - Tagging for visibility

SebastianStehle commented 8 months ago

I hope I am not wrong:

If this is a framework assembly, then the installed runtime version defines the version, not the app. If this is a normal package, you can usually define the minor version in your csproj, by just installing the newest version.

So it is not urgent for Orleans team to do anything here.

ReubenBond commented 7 months ago

We bumped the SDK version to 8.0.200