1

处理 CVE-2018-8409,注意到我们的 dotnet publish(.NET Core 2.1.403 ASPNET Core 应用程序)正在我们的输出目录中发布 System.IO.Pipelines.dll v4.0.0.1。

我添加了对 System.IO.Pipelines v4.5.3 的 nuget 包引用。

我在构建输出中没有看到对 v4.0.0.1 的引用,除此之外:

Unified primary reference "System.IO.Pipelines, Version=4.0.0.1, Culture=neutral, PublicKeyToken=cc7b13ffcd2ddd51".
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.connections.abstractions\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Connections.Abstractions.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.http.connections\1.0.4\lib\netstandard2.0\Microsoft.AspNetCore.Http.Connections.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.core\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Core.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.transport.abstractions\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Transport.Abstractions.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.server.kestrel.transport.sockets\2.1.3\lib\netstandard2.0\Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll" because AutoUnify is 'true'.
         Using this version instead of original version "4.0.0.0" in "<home_dir>\.nuget\packages\microsoft.aspnetcore.signalr.core\1.0.4\lib\netstandard2.0\Microsoft.AspNetCore.SignalR.Core.dll" because AutoUnify is 'true'.
         Resolved file path is "<home_dir>\.nuget\packages\system.io.pipelines\4.5.3\lib\netstandard2.0\System.IO.Pipelines.dll".
         Reference found at search path location "{HintPathFromItem}".
         This reference is not "CopyLocal" because at least one source item had "Private" set to "false" and no source items had "Private" set to "true".
         The ImageRuntimeVersion for this reference is "v4.0.30319"

NOTE : <home_dir> is my user directory, it's not actually part of the output, fyi.

然而,当我签入 VS2017 时,我清楚地看到 nuget 包显示 System.IO.Pipelines (4.5.3)

我期望 System.IO.Pipelines 4.5.3 会在输出中,包括任何必要的程序集绑定重定向。

有什么我想念的想法吗?

谢谢!

4

1 回答 1

0

在一个非常烦人的举动中,进一步的分析向我揭示了 nuget 包 4.5.3,包含程序集版本 4.0.0.1

为什么yyyyyy微软,为什么yyyyyy

于 2019-04-29T17:45:22.860 回答