serilog-sinks-email icon indicating copy to clipboard operation
serilog-sinks-email copied to clipboard

Published 20 hours ago verified publisher icon serilog

Mimekit has vulnerable dependency that can lead to denial of service

Open danielwspie opened this issue 1 year ago • 7 comments

https://github.com/advisories/GHSA-gmc6-fwg3-75m5

Serilog.Sinks.Email (v4.0.0) └─ MailKit (v4.6.0) └─ MimeKit (v4.6.0)

danielwspie avatar Sep 26 '24 20:09 danielwspie

Any update on this?

jwalz-hunter avatar Nov 20 '24 20:11 jwalz-hunter

Are there any plans to officially release a new version with #143 merged? Mentioned vulnerability is of high severity

romovs avatar Dec 03 '24 13:12 romovs

Any updates, please?

Amir-Ageez avatar Dec 06 '24 22:12 Amir-Ageez

For your consideration:

As a workaround, you can install the vulnerable transient dependencies explicitly in a newer non-vulnerable version. The newer versions are compatible. NuGet will resolve the newer versions, and MimeKit will use those.

Kissaki avatar Dec 09 '24 10:12 Kissaki

I've merged https://github.com/serilog/serilog-sinks-email/pull/148 to get build scripts and dependencies up-to-date, if someone can verify that 4.1.0-dev-* (now on nuget.org) works satisfactorily in their project, I'll ship an RTM. Thanks!

nblumhardt avatar Apr 08 '25 00:04 nblumhardt

@nblumhardt 4.1.0-dev-02301 seems to work fine. We haven't noticed any issues.

romovs avatar Apr 18 '25 12:04 romovs

Thanks, @romovs 👍

nblumhardt avatar Apr 19 '25 21:04 nblumhardt