Update dependency Microsoft.Owin to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
Microsoft.Owin	3.1.0 -> 4.2.2

GitHub Vulnerability Alerts

CVE-2020-1045

A security feature bypass vulnerability exists in the way Microsoft ASP.NET Core parses encoded cookie names.The ASP.NET Core cookie parser decodes entire cookie strings which could allow a malicious attacker to set a second cookie with the name being percent encoded.The security update addresses the vulnerability by fixing the way the ASP.NET Core cookie parser handles encoded names., aka 'Microsoft ASP.NET Core Security Feature Bypass Vulnerability'.

CVE-2022-29117

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.

Affected software

• Any .NET 6.0 application running on .NET 6.0.4 or earlier.
• Any .NET 5.0 application running .NET 5.0.16 or earlier.
• Any .NET Core 3.1 application running on .NET Core 3.1.24 or earlier.

Affected packages

.NET Core 3.1

Package name	Affected versions	Patched versions
Microsoft.Owin.Security.Cookies	<4.2.2	4.2.2
Microsoft.Owin.Security	<4.2.2	4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-x64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-x86	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.osx-x64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-arm	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.win-arm	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>=3.0.0,3.1.24	3.1.25
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>=3.0.0,3.1.24	3.1.25

.NET 5.0

Affected packages	Affected versions	Patched versions
Microsoft.Owin.Security.Cookies	< 4.2.2	4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-x64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-x86	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.osx-x64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-arm	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.win-arm	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>=5.0.0,5.0.16	5.0.17
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>=5.0.0,5.0.16	5.0.17

.NET 6.0

Affected packages	Affected versions	Patched versions
Microsoft.Owin.Security.Cookies	<4.2.2	4.2.2
Microsoft.AspNetCore.App.Runtime.win-x64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-x64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-x86	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.osx-x64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-arm	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.win-arm	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.osx-arm64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>=6.0.0,6.0.4	6.0.5
Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>=6.0.0,6.0.4	6.0.5

Patches

• If you're using .NET Core 6.0, you should download and install Runtime 6.0.5 or SDK 6.0.105 (for Visual Studio 2022 v17.0) or SDK 6.0.203 (for Visual Studio 2022 v17.1) from https://dotnet.microsoft.com/download/dotnet-core/6.0.

• If you're using .NET 5.0, you should download and install Runtime 5.0.17 or SDK 5.0.214 (for Visual Studio 2019 v16.9) or SDK 5.0.408 (for Visual Studio 2011 v16.11) from https://dotnet.microsoft.com/download/dotnet-core/5.0.

• If you're using .NET Core 3.1, you should download and install Runtime 3.1.25 or SDK 3.1.419 (for Visual Studio 2019 v16.9 or Visual Studio 2011 16.11 or Visual Studio 2022 17.0 or Visual Studio 2022 17.1 ) from https://dotnet.microsoft.com/download/dotnet-core/3.1.

.NET 6.0, .NET 5.0 and .NET Core 3.1 updates are also available from Microsoft Update. To access this either type "Check for updates" in your Windows search, or open Settings, choose Update & Security and then click Check for Updates.

Other Details

• Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/220
• An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/41608
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29117

---

Release Notes

aspnet/AspNetKatana (Microsoft.Owin)

v4.2.2: 4.2.2 Release

This release includes a few bugfixes, including one with possible security implications. The packages are available on nuget.org.

• CVE 2022-29117 also applies to Microsoft.Owin.

See here for the complete list of changes.

v4.2.1: 4.2.1 Release

This release concludes significant build infrastructure changes and also includes a few product bug fixes. The packages are available on nuget.org.

See here for the complete list of changes.

The language specific satellite packages such as Microsoft.Owin.zh-Hans have been discontinued.

v4.2.0: 4.2.0 Release

This release includes a security feature and some minor improvements. The packages are available on nuget.org.

See here for the complete list of changes. These improvements have been completely community driven, thanks everybody for helping out!

https://github.com/aspnet/AspNetKatana/pull/389 adds PKCE support for OpenIdConnect authentication when using the code flow:

app.UseOpenIdConnectAuthentication(
    new OpenIdConnectAuthenticationOptions
    {
        ClientId = clientId,
        ClientSecret = clientSecret,
        Authority = authority,
        PostLogoutRedirectUri = postLogoutRedirectUri,
        ResponseType = OpenIdConnectResponseType.Code,
        RedeemCode = true,
        RedirectUri = redirectUri,
        UsePkce = true,
    });

v4.1.1: 4.1.1 Release

This release includes a security fix and some minor improvements. The packages are available on nuget.org.

• CVE-2020-1045 also applies to Microsoft.Owin.
• See here for the complete list of changes.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.