Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

.NET update BouncyCastle.Cryptography dependency version to at least 2.3.1 #730

Closed
vadym-ustymenko opened this issue Dec 30, 2024 · 1 comment
Closed

.NET update BouncyCastle.Cryptography dependency version to at least 2.3.1 #730

vadym-ustymenko opened this issue Dec 30, 2024 · 1 comment

Comments

@vadym-ustymenko
Copy link

Nuget package AWS.Cryptography.EncryptionSDK 4.1.0 has a dependency on BouncyCastle.Cryptography (>= 2.2.1) which has few vulnerabilities with moderate severity:
GHSA-8xfc-gm6g-vgpv
GHSA-v435-xc8x-wvr9
GHSA-m44j-cfrm-g8qc

BouncyCastle.Cryptography 2.3.1 has those vulnerabilities fixed
@rishav-karanjit
Copy link
Member

Hi @vadym-ustymenko, we are tracking this and updating the bouncy castle version is in our roadmap for the next release. In the meantime, you can resolve this by overriding the AWS.Cryptography.MaterialProviders dependency to use version 1.4.0 or later. This will automatically use BouncyCastle.Cryptography 2.3.1 as a transitive dependency.

To implement this override, add the AWS.Cryptography.MaterialProviders package manually to your project using the following command:

dotnet add package AWS.Cryptography.MaterialProviders --version 1.4.0

Note that 1.4.0 is an example version. Any version 1.4.0 or later should work for this purpose.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rishav-karanjit @vadym-ustymenko