Skip to content

Stale copy of the public suffix list

Low severity GitHub Reviewed Published Dec 9, 2023 in gsemac/Gsemac.Common • Updated Dec 11, 2023

Package

nuget Gsemac.Net (NuGet)

Affected versions

< 0.38.2

Patched versions

0.38.2

Description

We have identified that this project contains an out-of-date version of the Public Suffix List (https://publicsuffix.org/). We are carrying out research to identify the potential impacts of using old versions of the Public Suffix List, and we intend to publish our results in academic conferences and journals. Our results will become publicly available after 21 days; this provides time to update your project with an up-to-date version of the Public Suffix List.

GitHub repository: gsemac/Gsemac.Common
Public Suffix List path: src/Gsemac.Net/Resources/public_suffix_list.dat

The Public Suffix List is regularly updated (generally a few times per week), and to ensure that the correct privacy boundaries are maintained between websites, applications that use it should routinely fetch an updated copy. If new suffixes are added to the list, and an old list is then used, privacy boundaries will not be constructed correctly, allowing for data (e.g., cookies) to be set incorrectly, potentially harming privacy.

There is further guidance on how the Public Suffix List should be used in ICANN’s “Advisory on the Use of Static TLD / Suffix Lists” at https://www.icann.org/en/system/files/files/sac-070-en.pdf.

If you have any questions about our research, or about usage of the Public Suffix List, please reply via e-mail to sm@smcquistin.uk.

References

@gsemac gsemac published to gsemac/Gsemac.Common Dec 9, 2023
Published to the GitHub Advisory Database Dec 11, 2023
Reviewed Dec 11, 2023
Last updated Dec 11, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-w4x6-hh3x-wjrx

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.