Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: CVE affecting legacy .NET versions, fix in main branch is unreleased #1782

Closed
derekm opened this issue Aug 13, 2024 · 8 comments · Fixed by #1818
Closed

[Bug]: CVE affecting legacy .NET versions, fix in main branch is unreleased #1782

derekm opened this issue Aug 13, 2024 · 8 comments · Fixed by #1818
Labels
bug

Comments

@derekm
Copy link
Contributor

derekm commented Aug 13, 2024
edited
Loading

Describe the bug 🐞

A CVE happened affecting .NET versions prior to .NET 8.0.6. GitHub's advisory

Force-upgrade to System.Text.Json 8.0.4 for legacy frameworks should be released as Refit 7.1.3.

Step to reproduce

  1. Include Refit in a new .NET project
  2. Security scan project
  3. See "HIGH" denial-of-service vulnerability

Reproduction repository

https://github.com/reactiveui/refit

Expected behavior

Recent releases should be free of HIGH vulns.

Screenshots 🖼️

No response

IDE

No response

Operating system

No response

Version

No response

Device

No response

Refit Version

7.1.2

Additional information ℹ️

Refit main branch force-upgrades to System.Text.Json 8.0.4 for netstandard2.0 or net462, and this should be released ASAP as Refit 7.1.3.
@derekm derekm added the bug label Aug 13, 2024
@derekm derekm mentioned this issue Aug 13, 2024
Closed
@ChrisPulman
Copy link
Member

Hi, thank you for raising this however, for .net6/8 we don't take a dependency on this package, please use net 8.0.6+ to resolve this issue. We have a dependency for netstandard2.0 and netframework as this is the only way we can use the functionality provided.
Therefore this is not a bug in Refit but a bug in the net 8.0 libraries.

@derekm
Copy link
Contributor Author

derekm commented Aug 14, 2024
edited
Loading

We have a dependency for netstandard2.0 and netframework as this is the only way we can use the functionality provided.

My bug description is wrong, so I will edit it.

My security scanner is ignoring my use of net8.0-latest, and it is seeing your use of System.Text.Json 8.0.3 in the legacy frameworks. In main branch, you've updated legacy frameworks to System.Text.Json 8.0.4.

The bug is that you haven't released the 8.0.4 force-upgrade for legacy frameworks as Refit 7.1.3.

Cf., https://www.nuget.org/packages/Refit#dependencies-body-tab where it says, "System.Text.Json (>= 8.0.3)". Refit 7.1.3 will say, "System.Text.Json (>= 8.0.4)".

@derekm derekm changed the title [Bug]: CVE affecting .NET releases up to version NET8.0 [Bug]: CVE affecting legacy .NET version, fix in main branch is unreleased Aug 14, 2024
@derekm derekm changed the title [Bug]: CVE affecting legacy .NET version, fix in main branch is unreleased [Bug]: CVE affecting legacy .NET versions, fix in main branch is unreleased Aug 14, 2024
@ChrisPulman
Copy link
Member

At the moment we are working to apply a new code signing certificate, as soon as this is complete we will be making a release. Thank you for your feedback.

@Russ256
Copy link

Russ256 commented Sep 17, 2024

The 7.2.0 release notes say this has been fixed, but looks like the pr never got merged so this is still an issue.

@ChrisPulman
Copy link
Member

image

@Russ256
Copy link

Russ256 commented Sep 18, 2024

This affects all versions, I'm getting a cve issue raised on a .net 8 project. The linked pr looks like the fix but was never merged.

@ChrisPulman ChrisPulman mentioned this issue Sep 18, 2024
Merged
2 tasks
@ChrisPulman
Copy link
Member

Please update to 7.2.1 this issue should be resolved, thank you

@github-actions GitHub Actions
Copy link

github-actions bot commented Oct 4, 2024

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 4, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@derekm @Russ256 @ChrisPulman