Security: document unpatched System.Security.Cryptography.Xml advisory
GHSA-37gx-xxp4-5rgx and GHSA-w3x6-4m5h-cxqf (XML signature vulns) affect 8.0.2 transitively. No patched version exists in the NuGet feed yet — 9.0.0 is also flagged. Tracked in Directory.Build.props for re-check when a fix ships. System.Net.Http 4.1.0 and System.Security.Cryptography.X509Certificates 4.1.0 are false positives: same NCalc2 -> Antlr4 -> NETStandard.Library 1.6.0 chain already documented; .NET 8 BCL provides the runtime versions. Microsoft.Build / NuGet.* are build-tooling-only, not deployed to production. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -8,4 +8,12 @@
|
|||||||
-->
|
-->
|
||||||
<NoWarn>$(NoWarn);NU1605</NoWarn>
|
<NoWarn>$(NoWarn);NU1605</NoWarn>
|
||||||
</PropertyGroup>
|
</PropertyGroup>
|
||||||
|
|
||||||
|
<!--
|
||||||
|
TRACKED: System.Security.Cryptography.Xml 8.0.2 has two High advisories (GHSA-37gx-xxp4-5rgx,
|
||||||
|
GHSA-w3x6-4m5h-cxqf — XML signature vulnerabilities). No patched version exists in the NuGet
|
||||||
|
feed as of 2026-06-14; 9.0.0 (the only higher version) is also flagged. Re-check when a
|
||||||
|
patched 8.x or 9.x build ships and pin here. Pulled in transitively by one of: Fido2, EPPlus,
|
||||||
|
Azure SDK, or VisualStudio.Web.CodeGeneration.Design.
|
||||||
|
-->
|
||||||
</Project>
|
</Project>
|
||||||
|
|||||||
Reference in New Issue
Block a user