November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Some security issues

huseyinerdinc
huseyinerdinc
Vote:
 

Hello,

The following packages have transitive dependencies to vulnerable packages. Is it possible to update the references?

Episerver.Cms (12.29.1) -> Episerver.ImageLibrary.ImageSharp (1.0.1) -> SixLabors.ImageSharp (2.1.7) https://github.com/advisories/GHSA-g85r-6x2q-45w7 

Episerver.Framework (12.21.5) -> System.Security.Cryptography.Xml (6.0.1) -> System.Security.Cryptography.Pkcs (6.0.1) https://github.com/advisories/GHSA-555c-2p6r-68mm 

The following packages have a dependency on System.Text.RegularExpressions (4.3.0): https://github.com/advisories/GHSA-cmhx-cq75-c4mj 

EPiServer.CloudPlatform.Cms.1.6.1,
EPiServer.CMS.12.29.1,
EPiServer.CMS.AspNetCore.HtmlHelpers.12.21.5,
EPiServer.CMS.AspNetCore.Routing.12.21.5,
EPiServer.CMS.AspNetCore.TagHelpers.12.21.5,
EPiServer.CMS.Core.12.21.5,
EPiServer.CMS.TinyMce.4.7.2, EPiServer.Find.Cms.16.2.0,
EPiServer.GoogleAnalytics.4.2.0

#323096
Jun 04, 2024 7:45
Vincent
Vincent
Vote:
 

Hello

You can directly install the latest version of Episerver.ImageLibirary.ImageSharp from optimizely NuGet to override the transitive dependencies.

For the rest of vulnerabilities security issues, Azure App service should automatically patch the runtime if your solution is hosted in DXP. If you have Azure access, you can ssh to your container and run dotnet --info to verify your .net runtime (see screenshot below)

#323098
Jun 04, 2024 11:55
Tomas Hensrud Gulla
Tomas Hensrud Gulla
Vote:
 

I agree that the package references shuld be updated, but you may also

  • Reference EPiServer.ImageLibrary.ImageSharp 2.0.3 directly
  • Reference System.Security.Cryptography.Pkcs 6.0.4 directly
  • Reference System.Text.RegularExpressions 4.3.1 directly
#323099
Jun 04, 2024 12:06
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.