Update Newtonsoft.Json to a version unaffected by CVE-2024-21907

[dirkmueller]

Description

vstest/temp/testhost/testhost.deps.json

Line 18 in 07acde2

"Newtonsoft.Json": "13.0.0.0"

and a few other places refer to Newtonsoft 13.0.0.0 which is affected by GHSA-5crp-9r3c-p9vr

suggest to upgrade to 13.0.0.0.1 everywhere to silence dependency security scanners.

Steps to reproduce

Scan dotnet sdk 6.0.425 release with a security scanner, which finds the vulnerable version referenced in usr/share/dotnet/sdk/6.0.425/testhost.deps.json

Expected behavior

No security scanner warnings

Actual behavior

triggers on above security advisory

Environment

SUSE Linux Enterprise 15

[nohwnd]

we are shipping 13.0.3 in net6, in this fix https://github.com/dotnet/installer/pull/19320/files we are rewriting the testhost.deps.json to reflect that. This is how the dll looks like in ilspy:

Where is the version 13.0.0.0.1 you mentioned coming from?

[dirkmueller]

Where is the version 13.0.0.0.1 you mentioned coming from?

sorry, I meant 13.0.1 which is mentioned as the solution for the GHSA-5crp-9r3c-p9vr advisory.

I can still find the references in "dotnet-sdk-6.0-6.0.425-1.x86_64" which comes from packages.microsoft.com:

# grep -r Newtonsoft.Json/13.0.0.0 /usr/share/dotnet/sdk/6.0.425/
/usr/share/dotnet/sdk/6.0.425/testhost.deps.json:      "Newtonsoft.Json/13.0.0.0": {
/usr/share/dotnet/sdk/6.0.425/testhost.deps.json:    "Newtonsoft.Json/13.0.0.0": {

a user of us is running some security scanner which barfs on that.