-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability in Castle.Core 4.4.0 #18
Comments
Well that's kind of annoying, the fix in Castle.Core is only available in these tags:
meaning it was never released for I'm a bit hesitant to bump a major version on Castle.Core, as that is a breaking change and might cause difficulties to some users (those who are using the package not only as a transitive dependency of Decor). The vulnerability page lists that I'll try to release this as a preview version, so please let me know if it resolves the issue. If the scanning tool still complaints I'll just move to Castle.Core >=5.0.0 and bump major version in Decor as well. |
@dovrama the package is now published as |
@lawrence-laz, thank you for the fast response. I'll check it out on 12th of March once I am at work! |
@lawrence-laz, could you also create preview version for |
@lawrence-laz, your change did the trick, vulnerability is gone! Thank you very much for fast response and actions. Waiting for a normal version release 👍 |
Good to hear. Both packages are now released under |
Hello, we're using this great package and our scanning tools have picked it up that it has vulnerability.
Basically nuget that is being used in this project (Castle.Core 4.4.0) has reference to this vulnerability: CVE-2018-8292
Exact path: Decor.Extensions.Microsoft.DependencyInjection/2.0.7 -> Castle.Core/4.4.0 -> NETStandard.Library/1.6.1 -> System.Net.Http/4.3.0
We believe that by bumping Castle.Core to newer versions (>= 5.0.0) should fix this issue.
Same issue being discussed in Castle.Core: CastleCore using an old version of System.Net.Http which is vulnerable
Could this be done and released?
Thanks in advance!
The text was updated successfully, but these errors were encountered: