Ameen-Alqattow
commented
2 months ago Can we fix then soon on 2.7.1.1?
Closed luisjones closed 2 months ago
Ameen-Alqattow
commented
2 months ago Can we fix then soon on 2.7.1.1?
MagicAndre1981
commented
2 months ago Can we fix then soon on 2.7.1.1?
select your project where you consume npoi in Visual Studio, open NuGet UI, go to "Installed packages", here you see "Top Level Packages" and "Transivite Packages". Now find SixLabors.ImageSharp under Transitive Packages and install it in Version 2.1.9 to fix it yourself. Only issue is now that NuGet shows an update of SixLabors.ImageSharp to 3.1.5 because Microsoft still has no version range blocking like in old packages.config times (allowedVersions entry) or detecting of incompatible frameworks.
tonyqus
commented
2 months ago There is no plan of urgent fix for this. The security bug is about gif codec. NPOI doesn't use this feature in ImageSharp at all.
lahma
commented
2 months ago Created #1402
NPOI Version
2.7.1
Issue Description
Our Trivy security scanner pipeline is preventing this project from being used due to a security vulnerability in the SixLabors.ImageSharp package.
Installed library version: 2.1.8 Fixed versions: 2.1.9, 3.1.5
CVE-2024-41132 (https://avd.aquasec.com/nvd/2024/cve-2024-41132/) CVE-2024-41131 (https://avd.aquasec.com/nvd/2024/cve-2024-41131/)
I have not created a PR for this as I did not want this to conflict with https://github.com/nissl-lab/npoi/pull/1390