You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: release-notes/9.0/9.0.15/9.0.15.md
+35Lines changed: 35 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,6 +67,41 @@ Microsoft is releasing this security advisory to provide information about a vul
67
67
68
68
A vulnerability exists in System.Net.Mail where specially crafted data allows an unauthorized attacker to perform a spoofing attack over the network.
69
69
70
+
### Note on System.Security.Cryptography.Xml.EncryptedXml or System.Security.Cryptography.Xml.SignedXml
71
+
72
+
Applications using System.Security.Cryptography.Xml.EncryptedXml or System.Security.Cryptography.Xml.SignedXml might encounter two new CryptographicException occurrences when processing deeply nested payloads or entities with unsafe transforms.
73
+
74
+
75
+
76
+
1. “The XML element has exceeded the maximum nesting depth allowed for decryption.”
77
+
78
+
This is a new exception message that can only be thrown from the new behavior. This exception indicates the XML being processed has a deeply nested XML structure beyond a new default depth limit of 64. This limit can be overridden with a different numeric value, and a value of 0 indicates “no limit,” which restores the previous behavior.
79
+
80
+
* .NET Framework: Set a registry value named CryptoXmlDangerousMaxRecursionDepth within HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security
81
+
82
+
* .NET: Set an AppContext property named System.Security.Cryptography.Xml.DangerousMaxRecursionDepth
83
+
84
+
2. “The specified cryptographic transform is not supported.”
85
+
86
+
Exceptions with this message were reachable before this update, but there are new circumstances where this exception can now be thrown. This exception indicates the XML payload is attempting to apply a transform not included in the known safe transforms list.
87
+
88
+
The safe transforms are:
89
+
90
+
SignedXml.XmlDsigC14NTransformUrl
91
+
SignedXml.XmlDsigC14NWithCommentsTransformUrl
92
+
SignedXml.XmlDsigExcC14NTransformUrl
93
+
SignedXml.XmlDsigExcC14NWithCommentsTransformUrl
94
+
SignedXml.XmlDsigBase64TransformUrl
95
+
SignedXml.XmlLicenseTransformUrl
96
+
SignedXml.XmlDecryptionTransformUrl
97
+
98
+
99
+
The previous behavior can be restored by applying an override.
100
+
101
+
102
+
103
+
* .NET Framework: Set a registry value named EncryptedXmlAllowDangerousTransforms to a non-zero numeric value within HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\.NETFramework\Security
104
+
* .NET: Set an AppContext property named System.Security.Cryptography.Xml.AllowDangerousEncryptedXmlTransforms to ‘true’.
0 commit comments