Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerable transitive dependency System.Formats.Asn1 8.0.0 via System.Security.Cryptography.Pkcs #230

Closed
MessiKrkic opened this issue Nov 19, 2024 · 1 comment

Comments

@MessiKrkic
Copy link

Hi Anders,

Over the weekend my builds have started to fail due to a vulnerability in a transitive dependency in ITfoxtec.Identity.Saml2.

The dependency chain is:
ITfoxtec.Identity.Saml2 -> System.Security.Cryptography.Xml (8.0.1) -> System.Security.Cryptography.Pkcs (8.0.0) -> System.Formats.Asn1 (8.0.0)

The CVE can be seen here: link to CVE

I noticed that version 8.0.2 of System.Security.Cryptography.Xml has updated the dependency of System.Formats.Asn1 to the patched version 8.0.1.

Would it be possible to update ITfoxtec.Identity.Saml2 to use System.Security.Cryptography.Xml 8.0.2 to fix this security issue?

Thanks in advance for your great work on the project!

@Revsgaard
Copy link
Member

Thank you, released in https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/releases/tag/4.13.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants