Security issue - Githubissues

rebus-org / Rebus.PostgreSql

:bus: PostgreSQL persistence for Rebus

https://mookid.dk/category/rebus

Other

17 stars 19 forks source link

Security issue #13

Closed KasperDamgaard closed 4 years ago

KasperDamgaard commented 4 years ago

After running a dotnet-retire on our repository, we found this issue appearing: https://github.com/dotnet/runtime/issues/21591

We are working in .net core 3.1, and it seems like, by using the current version of Rebus.PostgreSql, that we are vulnerable to this issue, as we transiently depend on System.Data.SqlClient.4.3.0 which in turn depend on System.Net.Security.4.3.0 which is one of the vulnerable packages in the issue I linked above.

I am unsure how exactly to fix this, but it seems it would be enough to update the dependency for System.Data.SqlClient to a newer version which works in a .net core setting.

I will be happy to provide more information if you need it, and I hope this issue is easily fixed.

mookid8000 commented 4 years ago

Thanks for reporting this!

I've pushed Rebus.PostgreSql 6.0.0-b03 now, so it should be visible on NuGet.org when they update their index.

KasperDamgaard commented 4 years ago

Thanks for handling this extremely fast!

We have some issues getting all the 6.x versions to function together. Any chance the fix could be applied to the 5.x version line as well? Not sure if we're just outdated and the only ones still using 5.x :)

mookid8000 commented 4 years ago

Ah, fair enough - it's fixed in Rebus.PostgreSql 5.1.0, which is on NuGet.org now 🙂

KasperDamgaard commented 4 years ago

I'm sorry, but it seems like the 5.1.0 change did not change the dependency on System.Data.SqlClient. Running the tool again reveals that we're still vulnerable. Also: I'm sorry, but I did not catch the next transient dependency. The next one is now npgsql/3.2.2 since this also references System.Net.Security/4.3.0 - this should be upgradable as well. We would need at least npgsql/3.2.7 if I read the dependency stuff correctly, but of course it's best to always be the most up to date as possible.

I will happily run dotnet-retire after each release, but maybe it's faster for you if you do it yourself.

Edit: Oh, and btw - this postgresql references rebus 4.0.0 - which is quite old. Just something to consider while I'm bugging you about updating dependencies :)

mookid8000 commented 4 years ago

hmm, you're right.... I guess I was too quick yesterday... 😆 let me just take a look

mookid8000 commented 4 years ago

Could you try Rebus.PostgreSql 5.1.1?

KasperDamgaard commented 4 years ago

Seems to work and no more warnings about security issues! Thanks again :)

mookid8000 commented 4 years ago

Excellent! 👍