"To expand on the vulnerability (we don't go into details on CVEs, hence the confusion here, and everyone defers to me on whether details need to be shared, hence the delay in a response.) The problem would have occured when you publish a package to nuget.org using any of the affected nuget clients. It is limited to nuget.org api credentials and doesn't affect github or azdo credentials. It is only the pushing operation that could expose api credentials, nothing gets dropped into your nupkgs, you don't have to rebuild packages or republish. If you're concerned, rotate your api credentials and look at your published packages and make sure you recognise all of them. We haven't detected any attacks, but you never know. I hope this is enough detail @mungojam, if it's not please tag me in a response."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9f7f85b21b773952028a92ee1a3a6f0a79f1ea commit 1f9f7f85b21b773952028a92ee1a3a6f0a79f1ea Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-06-19 18:17:41 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-06-19 18:29:33 +0000 dev-dotnet/dotnet-sdk-bin: drop old 5.0.408-r4 Bug: https://bugs.gentoo.org/908819 Bug: https://bugs.gentoo.org/908820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 --- .../dotnet-sdk-bin-5.0.408-r4.ebuild | 62 ---------------------- 2 files changed, 68 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2dc4834fe52b3630a2f161326a17c50c7576b52c commit 2dc4834fe52b3630a2f161326a17c50c7576b52c Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-06-19 18:17:28 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-06-19 18:29:33 +0000 dev-dotnet/dotnet-sdk-bin: drop old 3.1.423-r4 Bug: https://bugs.gentoo.org/908819 Bug: https://bugs.gentoo.org/908820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 4 -- .../dotnet-sdk-bin-3.1.423-r4.ebuild | 60 ---------------------- 2 files changed, 64 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4e175c11278e2d3f9ad831a6503ca10ef5ecbc2d commit 4e175c11278e2d3f9ad831a6503ca10ef5ecbc2d Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-06-19 18:17:06 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-06-19 18:29:33 +0000 virtual/dotnet-sdk: drop old 5.0-r1 Bug: https://bugs.gentoo.org/908819 Bug: https://bugs.gentoo.org/908820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> virtual/dotnet-sdk/dotnet-sdk-5.0-r1.ebuild | 16 ---------------- 1 file changed, 16 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=86154485655909d831f0270354f5e22b328c793e commit 86154485655909d831f0270354f5e22b328c793e Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-06-19 18:16:19 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-06-19 18:29:32 +0000 virtual/dotnet-sdk: drop old 3.1-r1 Bug: https://bugs.gentoo.org/908819 Bug: https://bugs.gentoo.org/908820 Signed-off-by: Maciej Barć <xgqt@gentoo.org> virtual/dotnet-sdk/dotnet-sdk-3.1-r1.ebuild | 16 ---------------- 1 file changed, 16 deletions(-)
