-
Notifications
You must be signed in to change notification settings - Fork 817
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
All pre-8.0.3 version NuGet packages are shown as vulnerable whereas more versions are listed as patched on the Security issue #5698
Comments
Same issue on our side. Not sure if it is possible to update the advisory/add new advisory items to indicate the patched versions for the older releases as well to prevent compilation warnings for older releases that will not update to 8.0.3 |
We indeed backported the fix to all Npgsql versions going back to 4.0, so GHSA-x9vc-6hfv-hg8c is correct. We've submitted github/advisory-database#4379 to amend the advisory that was mistakenly pushed without that information - hopefully that gets merged soon. |
As a comment also mentioned in the merged PR: Just awaiting these updates to propagate wherever they need to go. Running
|
Closing this as github/advisory-database#4379 has been merged and the affected and patched versions at GHSA-x9vc-6hfv-hg8c are now correct. |
The CVE-2024-32655 advisory shows affected versions as <= 8.0.2 and all the NuGet packages for these versions are marked as vulnerable.
SQL Injection via Protocol Message Size Overflow however says that versions 4.0.14, 4.1.13, 5.0.18, 6.0.11, 7.0.7 and 8.0.3 are all patched.
Which source is the truth?
The text was updated successfully, but these errors were encountered: