Closed KasperDamgaard closed 4 years ago
Thanks for reporting this!
I've pushed Rebus.PostgreSql 6.0.0-b03 now, so it should be visible on NuGet.org when they update their index.
Thanks for handling this extremely fast!
We have some issues getting all the 6.x versions to function together. Any chance the fix could be applied to the 5.x version line as well? Not sure if we're just outdated and the only ones still using 5.x :)
Ah, fair enough - it's fixed in Rebus.PostgreSql 5.1.0, which is on NuGet.org now 🙂
I'm sorry, but it seems like the 5.1.0 change did not change the dependency on System.Data.SqlClient. Running the tool again reveals that we're still vulnerable. Also: I'm sorry, but I did not catch the next transient dependency. The next one is now npgsql/3.2.2 since this also references System.Net.Security/4.3.0 - this should be upgradable as well. We would need at least npgsql/3.2.7 if I read the dependency stuff correctly, but of course it's best to always be the most up to date as possible.
I will happily run dotnet-retire after each release, but maybe it's faster for you if you do it yourself.
Edit: Oh, and btw - this postgresql references rebus 4.0.0 - which is quite old. Just something to consider while I'm bugging you about updating dependencies :)
hmm, you're right.... I guess I was too quick yesterday... 😆 let me just take a look
Could you try Rebus.PostgreSql 5.1.1?
Seems to work and no more warnings about security issues! Thanks again :)
Excellent! 👍
After running a dotnet-retire on our repository, we found this issue appearing: https://github.com/dotnet/runtime/issues/21591
We are working in .net core 3.1, and it seems like, by using the current version of Rebus.PostgreSql, that we are vulnerable to this issue, as we transiently depend on System.Data.SqlClient.4.3.0 which in turn depend on System.Net.Security.4.3.0 which is one of the vulnerable packages in the issue I linked above.
I am unsure how exactly to fix this, but it seems it would be enough to update the dependency for System.Data.SqlClient to a newer version which works in a .net core setting.
I will be happy to provide more information if you need it, and I hope this issue is easily fixed.