Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System.ServiceModel.Primitives 8.0.0 transivitely uses vulnerable package System.Security.Cryptography.Pkcs 6.0.1 #5406

Open
flo-so opened this issue Jan 16, 2024 · 5 comments
Assignees
Labels

Comments

@flo-so
Copy link

flo-so commented Jan 16, 2024

System.ServiceModel.Primitives 8.0.0 has dependency System.Security.Cryptography.Xml >= 6.0.1
System.Security.Cryptography.Xml 6.0.1 has depency System.Security.Cryptography.Pkcs 6.0.1 which is marked vulnerable
Visual Studio 2022 transitive package installation installs minimum required package version, which is the vulnerable version
Please update package dependecies of System.ServiceModel.Primitives 8.0.0

@HongGit HongGit self-assigned this Jan 17, 2024
@miksh7
Copy link

miksh7 commented Feb 22, 2024

similar issue is in System.ServiceModel.Primitives 6.2.0

@Zastai
Copy link

Zastai commented May 10, 2024

It's especially odd that the 8.0.0 version, which only targets net8.0, would depend on .NET 6 packages instead of .NET 8 ones.

@lukasmichel
Copy link

What would have to be changed to use the current dependency? Is it necessary at all to explicitly state the version? The package should be contained in the runtime directly

@davidgvh
Copy link

Why does the .NET 8 dependency list include .NET 6 package? There are older packages with dependency specifications for the older stuff. This feels like a lifecycle violation.

@Falco20019
Copy link

@HongGit Friendly ping since there is still no documented workaround (to either use System.Security.Cryptography.Xml@8.x or System.Security.Cryptography.Pkcs@6.0.3+). So an official fix or at least note would be appreaciated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

7 participants