-
Notifications
You must be signed in to change notification settings - Fork 320
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Newtonsoft.Json to a version unaffected by CVE-2024-21907 #5265
Comments
we are shipping 13.0.3 in net6, in this fix https://github.com/dotnet/installer/pull/19320/files we are rewriting the testhost.deps.json to reflect that. This is how the dll looks like in ilspy: Where is the version 13.0.0.0.1 you mentioned coming from? |
sorry, I meant 13.0.1 which is mentioned as the solution for the GHSA-5crp-9r3c-p9vr advisory. I can still find the references in "dotnet-sdk-6.0-6.0.425-1.x86_64" which comes from packages.microsoft.com:
a user of us is running some security scanner which barfs on that. |
Description
vstest/temp/testhost/testhost.deps.json
Line 18 in 07acde2
suggest to upgrade to 13.0.0.0.1 everywhere to silence dependency security scanners.
Steps to reproduce
Scan dotnet sdk 6.0.425 release with a security scanner, which finds the vulnerable version referenced in
usr/share/dotnet/sdk/6.0.425/testhost.deps.json
Expected behavior
No security scanner warnings
Actual behavior
triggers on above security advisory
Environment
SUSE Linux Enterprise 15
The text was updated successfully, but these errors were encountered: