wcf icon indicating copy to clipboard operation
wcf copied to clipboard

Published 20 hours ago verified publisher icon dotnet

Updated netcore System.Security.Cryptography.Xml to 6.0.1

Open Havunen opened this issue 2 years ago • 4 comments

Fixes https://github.com/dotnet/wcf/issues/4877

Havunen avatar Aug 11 '22 18:08 Havunen

Is there any update on this? @mconnew @Havunen

andreicristianpetcu avatar Sep 19 '22 08:09 andreicristianpetcu

@andreicristianpetcu, take a look at the referenced issue for more details. Basically, you don't need to worry about this as the vulnerable scenario isn't one that the WCF Core Client uses (validating an externally provided XML signature). We only use it to sign an internally created XML fragment so there's no untrusted XML being processed which could trigger the vulnerability. If you need to do something to quieten some automated tooling which is flagging this, you can add a direct dependency to your own project to the later version as top level project dependent versions override what packages ask for.

mconnew avatar Sep 19 '22 19:09 mconnew

I'm not sure I feel comfortable with swapping libraries like that. It might cause unexpected behavior. I think that if this is such an easy fix, it should be upgrade here, right? @mconnew

andreicristianpetcu avatar Sep 21 '22 07:09 andreicristianpetcu

Yeah updating this package in the application level is problematic as we have multiple solutions and hundreds of projects and this issue is coming from many places through dependencies

Havunen avatar Sep 21 '22 09:09 Havunen