Closed dovrama closed 6 months ago
Well that's kind of annoying, the fix in Castle.Core is only available in these tags:
v5.0.0
v5.0.0-beta001
v5.1.0
v5.1.1
meaning it was never released for 4.*.*
versions.
I'm a bit hesitant to bump a major version on Castle.Core, as that is a breaking change and might cause difficulties to some users (those who are using the package not only as a transitive dependency of Decor).
The vulnerability page lists that System.Net.Http
was patched on 4.3.4
, so technically if we add that as an explicit dependency to Decor, the unpatched/vulnerable version should never be restored during the build. Not sure if your scanning tools would be sophisticated enough to figure that out, but it's worth a try.
I'll try to release this as a preview version, so please let me know if it resolves the issue.
If the scanning tool still complaints I'll just move to Castle.Core >=5.0.0 and bump major version in Decor as well.
@dovrama the package is now published as 2.0.8-preview.1
, let me know if this resolves the issue for you.
@lawrence-laz, thank you for the fast response. I'll check it out on 12th of March once I am at work!
@lawrence-laz, could you also create preview version for Decor.Extensions.Microsoft.DependencyInjection
? As we're using this with DI mainly?
@dovrama released
@lawrence-laz, your change did the trick, vulnerability is gone! Thank you very much for fast response and actions. Waiting for a normal version release 👍
Good to hear. Both packages are now released under 2.0.8
.
Hello, we're using this great package and our scanning tools have picked it up that it has vulnerability.
Basically nuget that is being used in this project (Castle.Core 4.4.0) has reference to this vulnerability: CVE-2018-8292
Exact path: Decor.Extensions.Microsoft.DependencyInjection/2.0.7 -> Castle.Core/4.4.0 -> NETStandard.Library/1.6.1 -> System.Net.Http/4.3.0
We believe that by bumping Castle.Core to newer versions (>= 5.0.0) should fix this issue. Same issue being discussed in Castle.Core: CastleCore using an old version of System.Net.Http which is vulnerable
Could this be done and released?
Thanks in advance!