.NET / ASP .NET CVEs package vulnerabilities backfill #302
Comments
|
thank you @skofman1 for sharing this with us! we've made an internal issue to track this and have added this to our backfill queue. this information is extremely helpful! I'll let you know if we have any additional questions once we've started going through it 😄 |
|
Hey @skofman1, sorry for the delay, but we're now live-ish 🎉 A few notes. Similarly CVE-2019-0546 lists CVE-2020-0606 / dotnet/announcements#149 CVE-2020-1045 / dotnet/announcements#165 Thank you so much for the great list and sorry again for the delay in getting this done 🙇 CC @taladrane |
|
I'm now hitting this too - are we sure these versions are correct on |
|
@darakian - looking at the questions. RE: CVE-2019-0545 / dotnet/announcements#94, the announcement provides the following.
|
|
Hey @leecow, the question I had about that one was with respect to @skofman1's list has @NickCraver which advisory is blocking you? |
|
@darakian It's the last one for Microsoft.Owin: https://nvd.nist.gov/vuln/detail/CVE-2020-1045 / GHSA-hxrm-9w7p-39cc I can't find how any of these relate to Microsoft.Owin and the fix recommending versions that don't exist (and aren't slightly off - it's recommending 3.1.8 when only 3.1.0 exists) leads me to believe we have something off in the data here. Any help would be much appreciated! |
|
Gotcha, yes, capturing the NetCore.app and 'included' package is confusing. Could the GitHub advisory follow a similar pattern to the .NET advisory? e.g. NetCore.App (System.Net.Http). |
|
@NickCraver Ah gotcha. Our advisory isn't blocking you on that though is it? I couldn't find the Owin reference so, I left it off of that. @leecow our namespace is defined as the names used on Nuget.org. System.Net.Http in this case. |
|
@darakian I'm admittedly naive as to how these systems interact...it's triggering on internal builds in CG today as high severity and will break builds in under a month. |
|
@NickCraver and CG is breaking the build because the it detects |
|
@darakian yep exactly, it advises upgrading from 3.0.0 to 3.1.8 but that's not possible/doesn't exist :) |
|
@NickCraver that's not going to be us (github database) then. I suspect that someone may have changed something on the CG side when this list got put together. @skofman1 might be the best contact there. |
|
@skofman1 I have an internal thread going from discovery this AM but thought this may be way downstream of the source mismatch, will add you to this! I assumed this was downstream but honestly no clue. |
|
@darakian , @leecow - Regarding CVE-2019-0546 - this is a data issue. Sorry about that. Regarding CVE-2020-0606 / dotnet/announcements#149 - @leecow , perhaps you can clarify here. Was you intent this package: https://www.nuget.org/packages/Microsoft.WindowsDesktop.App.Ref ? Regarding CVE-2020-1045 / dotnet/announcements#165 - @leecow , could you help clarify which https://www.nuget.org/packages/microsoft.owin packages are impacted? @NickCraver - I imagine someone from CG used this data. Could you provide details on what CG solution your team uses? Is this Azure DevOps? If so, I can try to reach out to them internally. |
|
@skofman1 Yep ADO here - and always feel free to ping on Teams too, I can link specific builds/incidents. This started happening last week for us (Thursday/Friday I think) so assuming the same as you here that same data source got pulled in. Thanks a ton for helping us get sorted! |
Ok, just to double check you mean a change of the affected product from System.NET.Http to Microsoft.NETCore.App? |
Yes, exactly. |
Thank you much. We're updated 👍 |
|
Answers to a few of the outstanding questions:
Yes. This is somewhat analogous to the NetCore.App vs affected underlying component discussion.
The affected owin package is Microsoft.AspNetCore.Owin rather than Microsoft.Owin. Fixed version 3.1.8. |
|
@leecow many thanks 👍 Those two advisories are now updated on our end. |
|
@darakian , @leecow and I worked offline on CVE-2020-1045 and this is the full set of impacted packages (I updated the table above as well).
|
|
@skofman1 many thanks for the update. Am I right in reading that last line that |
|
@darakian , that's right. Microsoft.AspNetCore.Owin doesn't have version 2.1.22. https://www.nuget.org/packages/Microsoft.AspNetCore.Owin
|
|
Fantastic. Thank you much and I've updated our advisory to reflect 👍 |
|
@skofman1 On GHSA-p9wx-v264-q34p, for System.ServiceModel.Duplex and System.ServiceModel.Security, it includes affected versions >= 4.0.0, < 4.1.3 with patched version 4.1.3, but the table above and the announcement say vulnerable versions are 4.0.0, 4.0.1 and 4.0.2, with secure version 4.0.4. This caused us to get alerts from a dependency on Microsoft.NETCore.UniversalWindowsPlatform which I believe were false positives. I have submitted a suggestion for improvements in #574 |
@skofman1 We're seeking clarification before deciding whether to publish or close. Is CVE-2019-0546 a valid vulnerability? Does it affect |
|
@shelbyc , CVE-2019-0546 was provided by mistake here. There are no impacted packages here. Feel free to remove. |
|
Hello, Can anyone verify that CVE-2020-1045 was permanently fixed for Mictosoft.AspNetCore.Http as of 2.1.22, and the higher versions, including versions 2.2.x no longer have this vulnerability? Sonatype is reporting this is still an active issue directly via support chat: """ So for the 2.1.x branch, we do have the vulnerable range closed off at 2.1.22 (not inclusive). For the 2.2.x version, the advisory does not address this branch and we have found that it does have the vulnerable code in its versions. There are currently 5 2.2.x versions published to Nuget, the latest published on 2/12/2019, and all contain the vulnerable code. We are monitoring new releases of this component and will close off the vulnerable range for the 2.2.x branch should a fix ever be released for it. If you can verify, can you please provide documentation so I can try to get this updated? Thank you! |
|
//cc @leecow |
|
The fix was not applied to 2.2 as that release went out of support in December 2019. |
|
@leecow is that to say that all 2.2.x releases of |
Hi team!
We would like to backfill to the DB NuGet package vulnerabilities for 2017-2020. The list of vulnerabilities below are for .NET and ASP.NET Microsoft packages. Those already have CVEs and the impacted packages were specified in announcements published with each CVE in the .NET / ASP.NET Announcement repositories (https://github.com/dotnet/announcements/issues?q=is%3Aissue+is%3Aopen+cve , https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+cve).
Please let me know if additional details are needed. //cc @taladrane , @JonDouglas, @leecow
The text was updated successfully, but these errors were encountered: