Skip to content

Update System.Security.Cryptography.Pkcs (dependabot missed it) #8903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 22, 2023
Merged

Update System.Security.Cryptography.Pkcs (dependabot missed it) #8903

merged 2 commits into from
Jun 22, 2023

Conversation

@JanKrivanek
Copy link
Member

@JanKrivanek JanKrivanek commented Jun 16, 2023

Fixes CVE-2023-29331

Context

CVE-2023-29331

Changes Made

Version bump that should have been done by dependabot

@JanKrivanek
Copy link
Member Author

JanKrivanek commented Jun 16, 2023

@MichaelSimons - Is it possible to reference system.security.cryptography.pkcs.7.0.2 as an external nuget? This worked just fine for 7.0.0 - however I do not see 7.0.2 being supported: https://github.com/dotnet/source-build-reference-packages/tree/main/src/referencePackages/src/system.security.cryptography.pkcs Is that planned to be added? (as 7.0.0 and 7.0.1 have known vulnerabilities)

@MichaelSimons
Copy link
Member

MichaelSimons commented Jun 16, 2023

@MichaelSimons - Is it possible to reference system.security.cryptography.pkcs.7.0.2 as an external nuget? This worked just fine for 7.0.0 - however I do not see 7.0.2 being supported: https://github.com/dotnet/source-build-reference-packages/tree/main/src/referencePackages/src/system.security.cryptography.pkcs Is that planned to be added? (as 7.0.0 and 7.0.1 have known vulnerabilities)

source-build-reference-packages is a self servicing repo. If you need a new package added which it appears like it is, you can add it yourself following these instructions. If you need any help I will be glad to help.

@JanKrivanek JanKrivanek mentioned this pull request Jun 16, 2023
Merged
@JanKrivanek JanKrivanek reopened this Jun 16, 2023
@JanKrivanek
Copy link
Member Author

JanKrivanek commented Jun 16, 2023

New version added to dotnet/source-build-reference-packages - however to be able to use it we need to reference the latest version - that is currently blocked by #8893

This was referenced Jun 16, 2023
Merged
Merged
@JanKrivanek JanKrivanek requested a review from a team June 21, 2023 16:54
@JanKrivanek
Copy link
Member Author

JanKrivanek commented Jun 21, 2023

@dotnet/source-build-internal - Adding System.Security.Cryptography.Pkcs/*7.0.2* to prebuild as a temporary workaround, so that we can update the vulnerable package.

The proper solution will require SRBP update, which will require update to arcade 8 - so this will need a bit of time

@JanKrivanek JanKrivanek mentioned this pull request Jun 21, 2023
Merged
rainersigwald
rainersigwald approved these changes Jun 21, 2023
View reviewed changes
MichaelSimons
MichaelSimons reviewed Jun 21, 2023
View reviewed changes
@JanKrivanek JanKrivanek force-pushed the JanKrivanek-patch-4 branch from a3e8d15 to 4a87b6b Compare June 21, 2023 18:24
@JanKrivanek JanKrivanek merged commit 227092b into main Jun 22, 2023
@JanKrivanek JanKrivanek deleted the JanKrivanek-patch-4 branch June 22, 2023 05:44
@JanKrivanek JanKrivanek mentioned this pull request Jun 29, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rainersigwald rainersigwald rainersigwald approved these changes

@MichaelSimons MichaelSimons MichaelSimons approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@JanKrivanek @MichaelSimons @rainersigwald