SaaS CMS has officially launched! Learn more now.

Some security issues

Vote:
 

Hello,

The following packages have transitive dependencies to vulnerable packages. Is it possible to update the references?

Episerver.Cms (12.29.1) -> Episerver.ImageLibrary.ImageSharp (1.0.1) -> SixLabors.ImageSharp (2.1.7) https://github.com/advisories/GHSA-g85r-6x2q-45w7 

Episerver.Framework (12.21.5) -> System.Security.Cryptography.Xml (6.0.1) -> System.Security.Cryptography.Pkcs (6.0.1) https://github.com/advisories/GHSA-555c-2p6r-68mm 

The following packages have a dependency on System.Text.RegularExpressions (4.3.0): https://github.com/advisories/GHSA-cmhx-cq75-c4mj 

EPiServer.CloudPlatform.Cms.1.6.1,
EPiServer.CMS.12.29.1,
EPiServer.CMS.AspNetCore.HtmlHelpers.12.21.5,
EPiServer.CMS.AspNetCore.Routing.12.21.5,
EPiServer.CMS.AspNetCore.TagHelpers.12.21.5,
EPiServer.CMS.Core.12.21.5,
EPiServer.CMS.TinyMce.4.7.2, EPiServer.Find.Cms.16.2.0,
EPiServer.GoogleAnalytics.4.2.0

#323096
Jun 04, 2024 7:45
Vote:
 

Hello

You can directly install the latest version of Episerver.ImageLibirary.ImageSharp from optimizely NuGet to override the transitive dependencies.

For the rest of vulnerabilities security issues, Azure App service should automatically patch the runtime if your solution is hosted in DXP. If you have Azure access, you can ssh to your container and run dotnet --info to verify your .net runtime (see screenshot below)

#323098
Jun 04, 2024 11:55
Vote:
 

I agree that the package references shuld be updated, but you may also

  • Reference EPiServer.ImageLibrary.ImageSharp 2.0.3 directly
  • Reference System.Security.Cryptography.Pkcs 6.0.4 directly
  • Reference System.Text.RegularExpressions 4.3.1 directly
#323099
Jun 04, 2024 12:06
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.