All pre-8.0.3 version NuGet packages are shown as vulnerable whereas more versions are listed as patched on the Security issue #5698
Comments
|
Same issue on our side. Not sure if it is possible to update the advisory/add new advisory items to indicate the patched versions for the older releases as well to prevent compilation warnings for older releases that will not update to 8.0.3 |
|
We indeed backported the fix to all Npgsql versions going back to 4.0, so GHSA-x9vc-6hfv-hg8c is correct. We've submitted github/advisory-database#4379 to amend the advisory that was mistakenly pushed without that information - hopefully that gets merged soon. |
|
As a comment also mentioned in the merged PR: Just awaiting these updates to propagate wherever they need to go. Running
|
|
Closing this as github/advisory-database#4379 has been merged and the affected and patched versions at GHSA-x9vc-6hfv-hg8c are now correct. |
The CVE-2024-32655 advisory shows affected versions as <= 8.0.2 and all the NuGet packages for these versions are marked as vulnerable.
SQL Injection via Protocol Message Size Overflow however says that versions 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7 and 8.0.3 are all patched.
Which source is the truth?
The text was updated successfully, but these errors were encountered: