Comments (5)
Just wondering if this part is relevant from that advisory?
Yes, it is relevant, but not in your context. It applies if a library has a dependency on the System.Net.Http package (not the System.Net.Http that's part of a BCL of a particular build target framework). If you check the dependencies of the current HAP version on nuget org (https://www.nuget.org/packages/HtmlAgilityPack#dependencies-body-tab), you'll see that only the UAP 10.0 variant has a dependency on the package of System.Net.Http 4.3.4 (not 4.3.3)
Any other HAP variant (except the one for UAP) does not have a dependency on the System.Net.Http package. Which means, particularly for the .NET Standard variants of HAP (which you would use in .NET Core projects) the build target framework of your (executable or ASP.NET) project chooses the System.Net.Http version from the respective BCL of the build target framework.
(Side note: The latter does not necessarily mean that your app is always going to use the old 4.3.3 when targeting .NET Core 1.0.12 or older, because often when installing a newer .NET framework/runtime next to an older framework/runtime, the BCL assemblies of older framework versions can be substituted by "proxy" assemblies containing type forwards, which - as the name suggests - forward type resolutions to the respective types in the BCL of the newer installed framework/runtime. This can enable an application compiled for such an older framework to use newer versions of the BCL assemblies and thus newer versions of System.Net.Http without needing to re-target and rebuild the app, hence why the advisory suggests admins to update the runtime.)
from html-agility-pack.
- NET version - Any .NET Core application that runs on a .NET Core 1.0.x runtime with a version number of 1.0.12 or lower, or a .NET Core application that runs on a .NET Core 1.1.x runtime with a version number of 1.1.9 or lower, or a .NET Core application that runs on a .NET Core 2.0.x runtime.
Read the advisory you referred to and act accordingly:
System administrators are advised to update their .NET Core runtimes to versions 1.0.13, 1.1.10 and install the latest 2.1 runtime, ensuring that any 2.0 applications are migrated to 2.1 as soon as possible.
Developers are advised to update their .NET Core SDK to versions 1.1.11 and migrate any .NET Core or ASP.NET Core 2.0 applications to 2.1 and redeploy.
from html-agility-pack.
Just wondering if this part is relevant from that advisory?
Additionally package authors should check their dependencies to ensure they aren't depending on a vulnerable version of the following package:
Package name:
System.Net.Http
Vulnerable versions: 2.0.20126.16343, 2.0.20505, 2.0.20710, 4.0.0, 4.1.0, 4.1.1, 4.1.2, 4.3.0, 4.3.1, 4.3.2, 4.3.3
Secure versions: 4.3.4 or later
Thanks
from html-agility-pack.
Thank you again, @elgonzo, for answering.
We already took action starting from v1.11.55: https://github.com/zzzprojects/html-agility-pack/releases/tag/v1.11.55
We now use the v4.3.4 as @elgonzo specified.
Best Regards,
Jon
from html-agility-pack.
Thank you @elgonzo and @JonathanMagnan for clarifying.
Best Regards,
@ThordaineRWS
from html-agility-pack.
Related Issues (20)
- The html rendering result is different from the html output result HOT 5
- The html rendering result is different from the html output result when tbody is added inside unclosed th HOT 3
- After applying HAP1.11.57, InnerText cannot be obtained correctly. HOT 11
- (2) The html rendering result is different from the html output result HOT 4
- Can't find a node with a long id HOT 1
- it happened again after a Rolled back to version HtmlAgilityPack 1.11.50, then again to HtmlAgilityPack 1.11.57 and it worked. HOT 2
- Can't find a node used HtmlAgilityPack 1.11.57 HOT 2
- How to make the DocumentNode.SelectNodes(XPath) for both text and img content together in the correct sequence? HOT 3
- ??? HOT 2
- Double <p> <p> open tags leave one <p> open even with option setted HOT 6
- The html rendering result is different from the html output result when we have two unclosed tbody tags HOT 2
- When we have a closing tag before the current open tag is closed we have different results between HAP and Chrome rendering
- The formatting is a bit interesting HOT 1
- Set PackageLicenseExpression on nuget HOT 5
- page source code HOT 19
- [HtmlAgilityPack version 1.11.60] request: add HtmlWeb Load() exception HOT 5
- bug: SelectSingleNode not returning anything HOT 7
- Modify a `#text` node name causes a `StackOverflowException` HOT 2
- Memory leak? Or is it just my code? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from html-agility-pack.