-
-
Notifications
You must be signed in to change notification settings - Fork 372
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
System.Net.Http 4.3.3 vulnerability #550
Comments
Read the advisory you referred to and act accordingly:
|
Just wondering if this part is relevant from that advisory? Additionally package authors should check their dependencies to ensure they aren't depending on a vulnerable version of the following package: Package name: Thanks |
Yes, it is relevant, but not in your context. It applies if a library has a dependency on the System.Net.Http package (not the System.Net.Http that's part of a BCL of a particular build target framework). If you check the dependencies of the current HAP version on nuget org (https://www.nuget.org/packages/HtmlAgilityPack#dependencies-body-tab), you'll see that only the UAP 10.0 variant has a dependency on the package of System.Net.Http 4.3.4 (not 4.3.3) Any other HAP variant (except the one for UAP) does not have a dependency on the System.Net.Http package. Which means, particularly for the .NET Standard variants of HAP (which you would use in .NET Core projects) the build target framework of your (executable or ASP.NET) project chooses the System.Net.Http version from the respective BCL of the build target framework. (Side note: The latter does not necessarily mean that your app is always going to use the old 4.3.3 when targeting .NET Core 1.0.12 or older, because often when installing a newer .NET framework/runtime next to an older framework/runtime, the BCL assemblies of older framework versions can be substituted by "proxy" assemblies containing type forwards, which - as the name suggests - forward type resolutions to the respective types in the BCL of the newer installed framework/runtime. This can enable an application compiled for such an older framework to use newer versions of the BCL assemblies and thus newer versions of System.Net.Http without needing to re-target and rebuild the app, hence why the advisory suggests admins to update the runtime.) |
Thank you again, @elgonzo, for answering. We already took action starting from v1.11.55: https://github.com/zzzprojects/html-agility-pack/releases/tag/v1.11.55 We now use the v4.3.4 as @elgonzo specified. Best Regards, Jon |
Thank you @elgonzo and @JonathanMagnan for clarifying. Best Regards, |
1. Description
System.Net.Http 4.3.3 has a vulnerability according to this Microsoft Security Advisory -
dotnet/announcements#88
The text was updated successfully, but these errors were encountered: