Update to latest System.Text.Encodings.Web due to CVE-2021-26701 for Microsoft.AspNetCore.Mvc.Core v2.2.5

Question

Update to latest System.Text.Encodings.Web due to CVE-2021-26701 for Microsoft.AspNetCore.Mvc.Core v2.2.5

Closed this issue 3 years ago · 4 comments

Microsoft.AspNetCore.Mvc.Core v2.2.5 is System.Text.Encodings.Web which has https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701. Requirement is to upgrade to version System.Text.Encodings.Web - 4.5.1,4.7.2,5.0.1. Can you please provide an ETA for it?

Answer 1 · 2021-04-06T19:57:50.000Z

.NET 2.2 Core is out of support and has been since December 2019.. It will not be updated. Please update to 3.1.

You can add a reference to the latest appropriate package yourself, but by being on an unsupported version you won't get other security fixes.

Answer 2 · 2021-04-07T00:54:54.000Z

So looking into this a bit cause I'm the same boat, and the other answer didn't really help me..

It appears the nuget package: Microsoft.AspNetCore.Mvc.Core is depreciated (this should be mentioned on the nuget package I think).

The latest version is 2.2.5.

@jayman-dalal
I think correct solution here that this package is no longer needed in netcore 3.0 and higher.
If you're already on that version, you dont need this package.

Checkout this documentation, expand the section "Click to expand the list of packages no longer being produced":
It is specifically mentioned as no longer needed.

Answer 3 · 2021-04-07T12:39:17.000Z

As an aside we're looking at the nuget deprecation feature, and the experience it gives.

Answer 4 · 2021-04-08T18:00:22.000Z

This issue has been resolved and has not had any activity for 1 day. It will be closed for housekeeping purposes.

See our Issue Management Policies for more information.