Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability in Castle.Core 4.4.0 #18

Closed
dovrama opened this issue Mar 8, 2024 · 7 comments
Closed

Vulnerability in Castle.Core 4.4.0 #18

dovrama opened this issue Mar 8, 2024 · 7 comments

Comments

@dovrama
Copy link

dovrama commented Mar 8, 2024
edited

Hello, we're using this great package and our scanning tools have picked it up that it has vulnerability.

Basically nuget that is being used in this project (Castle.Core 4.4.0) has reference to this vulnerability: CVE-2018-8292

Exact path: Decor.Extensions.Microsoft.DependencyInjection/2.0.7 -> Castle.Core/4.4.0 -> NETStandard.Library/1.6.1 -> System.Net.Http/4.3.0

We believe that by bumping Castle.Core to newer versions (>= 5.0.0) should fix this issue.
Same issue being discussed in Castle.Core: CastleCore using an old version of System.Net.Http which is vulnerable

Could this be done and released?

Thanks in advance!
@lawrence-laz
Copy link
Owner

Well that's kind of annoying, the fix in Castle.Core is only available in these tags:

v5.0.0
v5.0.0-beta001
v5.1.0
v5.1.1

meaning it was never released for 4.*.* versions.

I'm a bit hesitant to bump a major version on Castle.Core, as that is a breaking change and might cause difficulties to some users (those who are using the package not only as a transitive dependency of Decor).

The vulnerability page lists that System.Net.Http was patched on 4.3.4, so technically if we add that as an explicit dependency to Decor, the unpatched/vulnerable version should never be restored during the build. Not sure if your scanning tools would be sophisticated enough to figure that out, but it's worth a try.

I'll try to release this as a preview version, so please let me know if it resolves the issue.

If the scanning tool still complaints I'll just move to Castle.Core >=5.0.0 and bump major version in Decor as well.

@lawrence-laz
Copy link
Owner

@dovrama the package is now published as 2.0.8-preview.1, let me know if this resolves the issue for you.

@dovrama
Copy link
Author

dovrama commented Mar 8, 2024

@lawrence-laz, thank you for the fast response. I'll check it out on 12th of March once I am at work!

@dovrama
Copy link
Author

dovrama commented Mar 12, 2024

@lawrence-laz, could you also create preview version for Decor.Extensions.Microsoft.DependencyInjection? As we're using this with DI mainly?

@lawrence-laz
Copy link
Owner

@dovrama released

@dovrama
Copy link
Author

dovrama commented Mar 13, 2024

@lawrence-laz, your change did the trick, vulnerability is gone! Thank you very much for fast response and actions. Waiting for a normal version release 👍

@lawrence-laz
Copy link
Owner

Good to hear. Both packages are now released under 2.0.8.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lawrence-laz @dovrama