Powershell: Question about project.assets.json

Created on 5 Jul 2019  路  5Comments  路  Source: PowerShell/PowerShell

isn't System.Net.Http 4.3.0 is vulnerable but fixed that problems in 4.3.2?

runtime.native.System.Net.Http 4.3.0 - NuGet
--- Found at: ---
D:\a\1\s\src\Microsoft.Management.Infrastructure.CimCmdlets\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.Commands.Diagnostics\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.Commands.Management\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.Commands.Utility\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.ConsoleHost\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.MarkdownRender\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.SDK\obj\project.assets.json
D:\a\1\s\src\Microsoft.PowerShell.Security\obj\project.assets.json
D:\a\1\s\src\Microsoft.WSMan.Management\obj\project.assets.json
D:\a\1\s\src\powershell-win-core\obj\project.assets.json
D:\a\1\s\src\System.Management.Automation\obj\project.assets.json
D:\a\1\s\test\xUnit\obj\project.assets.json

Issue-Question Resolution-Answered
Source
picture usta

Most helpful comment

Json files contain only references on minimal required version. All supported PowerShell versions contain latest Core and latest dlls.

picture iSazonov on 5 Jul 2019
👍2

All 5 comments

@bergmeister ?

usta picture usta on 5 Jul 2019

Please follow the security issue template as per below as any security related discussion should happen privately first.
@iSazonov @TravisEz13 @SteveL-MSFT : Can any of you review this and possibly make the issue not appear publicly any more?

Security Issue

Excerpt from Issue Management - Security Vulnerabilities

If you believe that there is a security vulnerability in PowerShell Core,
it must be reported to [email protected]
to allow for Coordinated Vulnerability Disclosure.
Only file an issue, if [email protected] has confirmed filing an issue is appropriate.

When you have permission from [email protected] to file an issue here,
please use the Bug Report template and state in the description that you are reporting the issue in coordination with [email protected].

bergmeister picture bergmeister on 5 Jul 2019
👍1

Json files contain only references on minimal required version. All supported PowerShell versions contain latest Core and latest dlls.

iSazonov picture iSazonov on 5 Jul 2019
👍2

@iSazonov is correct. Please look at what is actually used, not the references in the JSON. We don't have control over that in many cases, without being too explicit.

TravisEz13 picture TravisEz13 on 5 Jul 2019

Also, if you believe this was actually a security issue, you violated our guidance.

Consider this a warning.

See,
https://github.com/PowerShell/PowerShell/issues/10065#issuecomment-508642154

TravisEz13 picture TravisEz13 on 5 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mklement0 picture mklement0  路  3Comments
aragula12 picture aragula12  路  3Comments
pcgeek86 picture pcgeek86  路  3Comments
andschwa picture andschwa  路  3Comments
lzybkr picture lzybkr  路  3Comments