System.Net.Http 4.3.3 vulnerability

[ThordaineRWS]

1. Description

System.Net.Http 4.3.3 has a vulnerability according to this Microsoft Security Advisory -
dotnet/announcements#88

• HAP version: 1.11.61
• NET version - Any .NET Core application that runs on a .NET Core 1.0.x runtime with a version number of 1.0.12 or lower, or a .NET Core application that runs on a .NET Core 1.1.x runtime with a version number of 1.1.9 or lower, or a .NET Core application that runs on a .NET Core 2.0.x runtime.

[elgonzo]

• NET version - Any .NET Core application that runs on a .NET Core 1.0.x runtime with a version number of 1.0.12 or lower, or a .NET Core application that runs on a .NET Core 1.1.x runtime with a version number of 1.1.9 or lower, or a .NET Core application that runs on a .NET Core 2.0.x runtime.

Read the advisory you referred to and act accordingly:

System administrators are advised to update their .NET Core runtimes to versions 1.0.13, 1.1.10 and install the latest 2.1 runtime, ensuring that any 2.0 applications are migrated to 2.1 as soon as possible.

Developers are advised to update their .NET Core SDK to versions 1.1.11 and migrate any .NET Core or ASP.NET Core 2.0 applications to 2.1 and redeploy.

[ThordaineRWS]

Just wondering if this part is relevant from that advisory?

Additionally package authors should check their dependencies to ensure they aren't depending on a vulnerable version of the following package:

Package name:
System.Net.Http
Vulnerable versions: 2.0.20126.16343, 2.0.20505, 2.0.20710, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3
Secure versions: 4.3.4 or later

Thanks

[elgonzo]

Just wondering if this part is relevant from that advisory?

Yes, it is relevant, but not in your context. It applies if a library has a dependency on the System.Net.Http package (not the System.Net.Http that's part of a BCL of a particular build target framework). If you check the dependencies of the current HAP version on nuget org (https://www.nuget.org/packages/HtmlAgilityPack#dependencies-body-tab), you'll see that only the UAP 10.0 variant has a dependency on the package of System.Net.Http 4.3.4 (not 4.3.3)

Any other HAP variant (except the one for UAP) does not have a dependency on the System.Net.Http package. Which means, particularly for the .NET Standard variants of HAP (which you would use in .NET Core projects) the build target framework of your (executable or ASP.NET) project chooses the System.Net.Http version from the respective BCL of the build target framework.

(Side note: The latter does not necessarily mean that your app is always going to use the old 4.3.3 when targeting .NET Core 1.0.12 or older, because often when installing a newer .NET framework/runtime next to an older framework/runtime, the BCL assemblies of older framework versions can be substituted by "proxy" assemblies containing type forwards, which - as the name suggests - forward type resolutions to the respective types in the BCL of the newer installed framework/runtime. This can enable an application compiled for such an older framework to use newer versions of the BCL assemblies and thus newer versions of System.Net.Http without needing to re-target and rebuild the app, hence why the advisory suggests admins to update the runtime.)

[JonathanMagnan]

Thank you again, @elgonzo, for answering.

We already took action starting from v1.11.55: https://github.com/zzzprojects/html-agility-pack/releases/tag/v1.11.55

We now use the v4.3.4 as @elgonzo specified.

Best Regards,

Jon

[ThordaineRWS]

Thank you @elgonzo and @JonathanMagnan for clarifying.

Best Regards,
@ThordaineRWS