We’ve just released NServiceBus.AzureFunctions.Worker.ServiceBus 4.2.3 and 3.1.2.
- #449 Remote Code Execution Vulnerability in dependency of NServiceBus.AzureFunctions.Worker.ServiceBus
Anyone using the NServiceBus.AzureFunctions.Worker.ServiceBus package without explicitly updating transitive dependencies is affected.
A vulnerable release of Azure.Identity is included in the
.azurefunctions subdirectory of the build output.
You should upgrade during your next maintenance window. However, this update is not required if top-level dependency is taken on Microsoft.Azure.Functions.Worker.Extensions.ServiceBus version 5.15.0 or later.
You can install the new versions of NServiceBus.AzureFunctions.Worker.ServiceBus from NuGet.
The team in Particular
Please read our release policy for more details.