Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET Core 8 Upgrade and Package Vulnerabilities #947

Open
acasciani opened this issue Dec 9, 2024 · 2 comments
Open

.NET Core 8 Upgrade and Package Vulnerabilities #947

acasciani opened this issue Dec 9, 2024 · 2 comments
Labels
Needs: Attention 👋

Comments

@acasciani
Copy link

Are there any plans to upgrade Microsoft.Graph.Core to .NET 8 now that .NET 6 is EOL? This library is using a System.Text.Encodings.Web which contains the following vulnerabilities:

  1. CVE-2022-24464
  2. CVE-2023-21538
  3. CVE-2022-29117
@acasciani acasciani added the status:waiting-for-triage An issue that is yet to be reviewed or assigned label Dec 9, 2024
@andrueastman
Copy link
Member

Thanks for raising this @acasciani

We'll be looking to update library to target the NET 8 targets for LTS support on the next breaking change of library as we'd need drop the MAUI targets here.

Out of curiosity, are able to share more info on the package System.Text.Encodings.Web as we do not currently take a dependency on it? Is it a transient package? Or from the runtime?

https://www.nuget.org/packages/Microsoft.Graph.Core/3.2.1#dependencies-body-tab

@andrueastman andrueastman added status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close and removed status:waiting-for-triage An issue that is yet to be reviewed or assigned labels Dec 11, 2024
@acasciani
Copy link
Author

Thanks for the response. It looks like it is a transient package through Microsoft.Kiota.Authentication.Azure which references Azure.Core which references System.Text.Encoding.Web

image

@microsoft-github-policy-service microsoft-github-policy-service bot added Needs: Attention 👋 and removed status:waiting-for-author-feedback Issue that we've responded but needs author feedback to close labels Dec 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Needs: Attention 👋
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@acasciani @andrueastman