Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Can we update to use sharpziplib.1.3.3.nupkg version? #177

Closed
faraazhabeeb123 opened this issue Apr 7, 2022 · 2 comments
Closed

Can we update to use sharpziplib.1.3.3.nupkg version? #177

faraazhabeeb123 opened this issue Apr 7, 2022 · 2 comments

Comments

@faraazhabeeb123
Copy link

There is a vulnerability noticed in version 1.3.2 or below of sharpziplib. Can we update the version to 1.3.3.? Reference to security: https://securitylab.github.com/advisories/GHSL-2021-125-sharpziplib/
@mganss
Copy link
Owner

mganss commented Apr 8, 2022

The dependency on SharpZipLib comes as an indirect dependency through NPOI. They haven't updated to 1.3.3 yet, see here for the discussion: nissl-lab/npoi#741

OTOH it it should be fine if you take a direct dependency on SharpZipLib 1.3.3 in your project.

@mganss
Copy link
Owner

mganss commented Apr 27, 2022

Fixed in 5.2.393 (via NPOI 2.5.6).

@mganss mganss closed this as completed Apr 27, 2022
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mganss @faraazhabeeb123