Multiple packages – Patch releases available

Hi everyone,

We’ve just released patches for some of our packages to update their dependencies to avoid transitive references to vulnerable packages.

Packages and versions

• NServiceBus 9.0.5
• NServiceBus.AmazonSQS 7.0.2 and 6.2.1
• NServiceBus.AmazonSQS.CommandLine 7.0.2 and 6.2.1
• NServiceBus.AwsLambda.SQS 2.0.1 and 1.1.2
• NServiceBus.AzureFunctions.InProcess.ServiceBus 4.4.1
• NServiceBus.AzureFunctions.Worker.ServiceBus 5.2.2 and 4.2.5
• NServiceBus.AzureStorageQueues 13.0.2 and 12.0.3
• NServiceBus.Callbacks 5.0.2 and 4.0.2
• NServiceBus.CustomChecks 5.0.1 and 4.0.1
• NServiceBus.DataBus.AzureBlobStorage 5.0.1
• NServiceBus.Encryption.MessageProperty 5.0.1 and 4.0.2
• NServiceBus.Extensions.Hosting 3.0.1 and 2.0.1
• NServiceBus.Extensions.Logging 3.0.1 and 2.0.1
• NServiceBus.Gateway 4.0.2
• NServiceBus.Gateway.RavenDB 4.0.1 and 3.0.1
• NServiceBus.Gateway.Sql 3.0.1 and 2.0.1
• NServiceBus.Heartbeat 5.0.1 and 4.0.1
• NServiceBus.MessagingBridge 4.0.3, 3.1.2 and 2.3.2
• NServiceBus.MessagingBridge.Msmq 4.0.3 and 3.1.2
• NServiceBus.Metrics 5.0.1 and 4.0.1
• NServiceBus.Metrics.PerformanceCounters 5.0.1
• NServiceBus.Metrics.ServiceControl 5.0.1 and 4.0.1
• NServiceBus.Metrics.ServiceControl.Msmq 4.0.1
• NServiceBus.Newtonsoft.Json 4.0.1 and 3.0.1
• NServiceBus.NHibernate 10.0.2 and 9.0.4
• NServiceBus.NHibernate.TransactionalSession 10.0.2 and 9.0.4
• NServiceBus.Persistence.CosmosDB 3.0.1 and 2.0.2
• NServiceBus.Persistence.CosmosDB.TransactionalSession 3.0.1 and 2.0.2
• NServiceBus.Persistence.DynamoDB 2.0.2 and 1.0.2
• NServiceBus.Persistence.DynamoDB.TransactionalSession 2.0.2 and 1.0.2
• NServiceBus.Persistence.NonDurable 2.0.1 and 1.0.1
• NServiceBus.Persistence.AzureTable 6.0.1 and 5.0.2
• NServiceBus.Persistence.AzureTable.TransactionalSession 6.0.1 and 5.0.2
• NServiceBus.Persistence.ServiceFabric 3.0.1
• NServiceBus.Persistence.Sql 8.1.1 and 7.0.6
• NServiceBus.Persistence.Sql.CommandLine 8.1.1 and 7.0.6
• NServiceBus.Persistence.Sql.TransactionalSession 8.1.1 and 7.0.6
• NServiceBus.RabbitMQ 8.0.6
• NServiceBus.Transport.RabbitMQ.CommandLine 8.0.6
• NServiceBus.RavenDB 9.0.1 and 8.2.1
• NServiceBus.RavenDB.TransactionalSession 9.0.1 and 8.2.1
• NServiceBus.SagaAudit 5.0.2 and 4.0.1
• NServiceBus.ServicePlatform.Connector 3.0.2 and 2.0.3
• NServiceBus.SqlServer 7.0.9
• NServiceBus.Transport.SqlServer 8.1.7 and 7.0.9
• NServiceBus.Transport.PostgreSql 8.1.7
• NServiceBus.Storage.MongoDB 3.0.5 and 4.1.1
• NServiceBus.Storage.MongoDB.TransactionalSession 3.0.5 and 4.1.1
• NServiceBus.Testing 9.0.1 and 8.1.1
• NServiceBus.TransactionalSession 3.2.1 and 2.0.3
• NServiceBus.Transport.Msmq 2.0.5
• NServiceBus.UniformSession 4.0.1 and 3.0.1
• NServiceBus.Wcf 3.0.1

How to know if you are affected

You are affected if you are using previous versions of our packages, but this doesn’t necessarily mean you are vulnerable.

Symptoms

Your projects have the setting NuGetAuditMode set to all and see transitive dependency warnings at build time that mention NServiceBus packages.

When to upgrade

You should upgrade immediately if you are affected. Otherwise, you should upgrade during your next maintenance window.

Where to get it

You can install the new versions of our packages from NuGet.

Please read our release policy for more details.

With thanks,
The team in Particular