Quantcast
Channel: Active questions tagged nuget-package - Stack Overflow
Viewing all articles
Browse latest Browse all 3067

What is the update/patch policy on vulnerable Microsoft.AspNetCore package versions?

$
0
0

I have some quite old library code using Microsoft.AspNetCore 2.2.0, which has vulnerability CVE-2019-0548. The library is compiled for targets Netstandard 2.0 and NET 6.0, consumed by NET Framework 4.7.2+ and .NET 6.0. NET Framework is only supported for downward compatibility.

A related question is here.

The docs at Mend (formerly Whitesource) recommend to update the package to version 2.1.7. Since I had 2.2.0, I expected it to be newer.

But in fact, Microsoft.AspNetCore 2.1.7 is from 2019, newer than 2.2.0 from 2018. I know with .NET Core 2.2, a shared framework was introduced (similar to the old .NET Framework?). The vulnerability is also somewhere in native IIS code and to be fixed by runtime updates.

But why is version 2.1.x patched and 2.2.x not? Should I downgrade to 2.1.7 for Netstandard 2.0?

Note: I got rid of the vulnerability warning by conditional <PackageReference ... />, only for .NET Standard 2.0. For .NET 6.0, the package isn't referenced, but a <FrameworkReference Include="Microsoft.AspNetCore.App" Version="2.2.8" /> exists, which, if I understand correctly, limits execution to runtime version at least 2.2.8, no lower.It was also possible to completely omit some of the Microsoft.AspNetCore and Microsoft.Extensions 2.x packages for NET 6.0.


Viewing all articles
Browse latest Browse all 3067

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>