System.ServiceModel.Primitives 8.0.0 transivitely uses vulnerable package System.Security.Cryptography.Pkcs 6.0.1

dotnet / wcf

This repo contains the client-oriented WCF libraries that enable applications built on .NET Core to communicate with WCF services.

MIT License

1.71k stars 559 forks source link

System.ServiceModel.Primitives 8.0.0 transivitely uses vulnerable package System.Security.Cryptography.Pkcs 6.0.1 #5406

Open flo-so opened 9 months ago

flo-so commented 9 months ago

System.ServiceModel.Primitives 8.0.0 has dependency System.Security.Cryptography.Xml >= 6.0.1 System.Security.Cryptography.Xml 6.0.1 has depency System.Security.Cryptography.Pkcs 6.0.1 which is marked vulnerable Visual Studio 2022 transitive package installation installs minimum required package version, which is the vulnerable version Please update package dependecies of System.ServiceModel.Primitives 8.0.0

miksh7 commented 8 months ago

similar issue is in System.ServiceModel.Primitives 6.2.0

Zastai commented 5 months ago

It's especially odd that the 8.0.0 version, which only targets net8.0, would depend on .NET 6 packages instead of .NET 8 ones.

lukasmichel commented 3 months ago

What would have to be changed to use the current dependency? Is it necessary at all to explicitly state the version? The package should be contained in the runtime directly

davidgvh commented 3 months ago

Why does the .NET 8 dependency list include .NET 6 package? There are older packages with dependency specifications for the older stuff. This feels like a lifecycle violation.

Falco20019 commented 2 weeks ago

@HongGit Friendly ping since there is still no documented workaround (to either use System.Security.Cryptography.Xml@8.x or System.Security.Cryptography.Pkcs@6.0.3+). So an official fix or at least note would be appreaciated.