Skip to content

Pin System.Security.Cryptography.Xml to 8.0.3 (fix CVE-2026-26171, CVE-2026-33116)#1253

Open
NickJosevski wants to merge 1 commit into
mainfrom
nickj/pin-cryptography-xml-cve
Open

Pin System.Security.Cryptography.Xml to 8.0.3 (fix CVE-2026-26171, CVE-2026-33116)#1253
NickJosevski wants to merge 1 commit into
mainfrom
nickj/pin-cryptography-xml-cve

Conversation

@NickJosevski

@NickJosevski NickJosevski commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fixes: #1256

Background

A Trivy CVE scan of the published octopusdeploy/kubernetes-agent-tentacle image flagged two HIGH vulnerabilities in System.Security.Cryptography.Xml 8.0.2, which is pulled in transitively (no direct reference exists in the repo):

  • CVE-2026-26171 — .NET XML: security bypass + denial of service
  • CVE-2026-33116 — .NET XML: denial of service via infinite recursion in XmlDecryptionTransform

These were the only fixable HIGH/CRITICAL findings in the image — the remaining OS-layer CRITICALs (perl, zlib) currently have no Debian fix available.

How to review this PR

Quality ✔️ — single <ItemGroup> pin in Octopus.Tentacle.csproj. Green means go. Re-running a Trivy scan on a freshly-built image should drop both HIGH findings.

@NickJosevski NickJosevski requested a review from a team as a code owner June 18, 2026 03:47
@NickJosevski

NickJosevski commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

this is ugly, but parent lib on net8 won't get updated: <!-- Pin transitive dependencies to fix known CVEs (.NET 8 only; net48 uses the GAC System.Security) -->

todthomson
todthomson approved these changes Jun 18, 2026
View reviewed changes

@todthomson todthomson left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@NickJosevski NickJosevski force-pushed the nickj/pin-cryptography-xml-cve branch from 04f9c95 to 3b737d5 Compare June 18, 2026 04:42
@NickJosevski NickJosevski enabled auto-merge June 18, 2026 04:42
@NickJosevski NickJosevski mentioned this pull request Jun 18, 2026
Closed
@NickJosevski NickJosevski force-pushed the nickj/pin-cryptography-xml-cve branch from 3b737d5 to 2e4a621 Compare June 18, 2026 06:03
@todthomson

todthomson commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Member

this is ugly, but parent lib on net8 won't get updated: <!-- Pin transitive dependencies to fix known CVEs (.NET 8 only; net48 uses the GAC System.Security) -->

It's fine, this is the correct way to fix this (in this situation).

We can remove this when we upgrade Tentacle to .NET 10 in Q3.

@NickJosevski

NickJosevski commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

I had a green build at one point 😞

@NickJosevski

NickJosevski commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

@ATGardner I was hoping to see the Renovate bot notice and suggest fixes like this? Maybe it can't because it's a transitive dependancy?

@ATGardner Linear Code

ATGardner commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

i configured the bot to look at docker/kubernetes-agent-tentacle/Dockerfile (and the dev one), as well as the docker/kubernetes-agent-tentacle/bootstrapRunner/go.mod (which is rather empty, so just bumping golang there).

wouldn't the actual nuget dependencies be handled by the root renovate-config.js, and team-executions-foundations?

@ATGardner Linear Code

ATGardner commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

oh, sorry - the new renovate configuration also has a custom manager looking at build/Build.Pack.cs, specifically at the base image in line 24 (const string KubernetesTentacleContainerRuntimeDepsTag = "8.0-bookworm-slim";). i don't think it will be able to use a digest in there, but maybe i'm wrong. we will see shortly. anyway - i think some of the base-image sec vulns will be resolved just by rebuilding the tentacle image, since the 8.0-bookworm-slim moved.

@NickJosevski
Pin System.Security.Cryptography.Xml to 8.0.3 to fix CVEs
7060f6b 
A Trivy scan of octopusdeploy/kubernetes-agent-tentacle flagged the
transitively-resolved System.Security.Cryptography.Xml 8.0.2 (HIGH):
 - CVE-2026-26171 (.NET XML: security bypass + DoS)
 - CVE-2026-33116 (.NET XML: DoS via infinite recursion in
   XmlDecryptionTransform)

Pin it directly to 8.0.3 (NET8 servicing release containing both fixes)
Scoped to .NETCoreApp; net48 uses the GAC System.Security and is
unaffected. Verified the restore resolves 8.0.3 across all net8.0 RIDs.
@NickJosevski NickJosevski force-pushed the nickj/pin-cryptography-xml-cve branch from 2e4a621 to 7060f6b Compare June 18, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@todthomson todthomson todthomson approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Version bump to address; CVE-2026-26171 and CVE-2026-33116 (not exploitable)

3 participants

@NickJosevski @todthomson @ATGardner