Microsoft.Windows.Compatibility 6.0.0 cause CVE-2022-34716 issue

[wolfkor]

Description

Please create a new NuGet package for Microsoft.Windows.Compatibility solving this vulnerability.
Dependency-Track is reporting this for pkg:nuget/System.Security.Cryptography.Xml@6.0.0

Reproduction Steps

Check Solution using Microsoft.Windows.Compatibility 6.0.0 with Dependeny-Track

Expected behavior

Microsoft.Windows.Compatibility 6.0.1 using System.Security.Cryptography.Xml 6.0.1

Actual behavior

Microsoft.Windows.Compatibility 6.0.0 using System.Security.Cryptography.Xml 6.0.0

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

Tagging subscribers to this area: @dotnet/area-system-security, @vcsjones
See info in area-owners.md if you want to be subscribed.

Issue Details

---

Description

Please create a new NuGet package for Microsoft.Windows.Compatibility solving this vulnerability.
Dependency-Track is reporting this for pkg:nuget/System.Security.Cryptography.Xml@6.0.0

Reproduction Steps

Check Solution using Microsoft.Windows.Compatibility 6.0.0 with Dependeny-Track

Expected behavior

Microsoft.Windows.Compatibility 6.0.1 using System.Security.Cryptography.Xml 6.0.1

Actual behavior

Microsoft.Windows.Compatibility 6.0.0 using System.Security.Cryptography.Xml 6.0.0

Regression?

No response

Known Workarounds

No response

Configuration

No response

Other information

No response

Author:	wolfkor
Assignees:	-
Labels:	area-System.Security, untriaged
Milestone:	-

[hoyosjs]

@ericstj @ViktorHofer, I think for servicing the stance is that we don't rev references of packages to rebuild the closure, essentially the user has to do the fixups? Or do we ever do that?

[ViktorHofer]

In the example of Microsoft.Windows.Compatibility I would lean towards servicing it with the next 6.0 servicing release.

[ViktorHofer]

cc @carlossanlop

[wolfkor]

@ViktorHofer unfortunately this did not find its way into 6.0.10 👎

[ViktorHofer]

At the time when this issue was reported 6.0.10 was already built and validated by us and our partners. We will consider taking this for the next servicing release. Thanks for reporting.

[ViktorHofer]

@carlossanlop can you please make sure that the Microsoft.Windows.Compatibility package ships with the next .NET 6 servicing release?

[carlossanlop]

Fix has been merged: #77194