Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET Core 3.1, NuGet (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0). This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET Core 3.1, and NuGet clients (NuGet.exe, NuGet.Commands, NuGet.CommandLine, NuGet.CommandLine.XPlat version range from 3.5.0 to 6.2.0) where a nuget.org credential could be leaked.
@dotnet: could you give us the first fixed versions in gentoo for each of the relevant dotnet sdk pkgs? thanks!
The bug has been referenced in the following commit(s):
Author: Sam James <firstname.lastname@example.org>
AuthorDate: 2023-06-17 02:18:07 +0000
Commit: Sam James <email@example.com>
CommitDate: 2023-06-17 02:18:07 +0000
dev-lang/mono: add 220.127.116.11
Signed-off-by: Sam James <firstname.lastname@example.org>
dev-lang/mono/Manifest | 1 +
dev-lang/mono/mono-18.104.22.168.ebuild | 122 +++++++++++++++++++++++++++++++++++
2 files changed, 123 insertions(+)
- dev-dotnet/dotnet-sdk-bin-3.1.423-r4 affected, has NuGet 22.214.171.124
- dev-dotnet/dotnet-sdk-bin-5.0.408-r4 affected, has NuGet 126.96.36.199