microsoft · TimothyMothra · May 6, 2021 · Apr 29, 2021 · Apr 29, 2021 · Apr 30, 2021
diff --git a/.../Microsoft.ApplicationInsights.AspNetCore/Microsoft.ApplicationInsights.AspNetCore.csproj b/.../Microsoft.ApplicationInsights.AspNetCore/Microsoft.ApplicationInsights.AspNetCore.csproj
@@ -48,11 +48,36 @@
     <Reference Include="System" />
     <Reference Include="Microsoft.CSharp" />
     <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="1.1.3" />
+
+    <!-- 
+    System.Text.Encodings.Web has a vulnerability https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701 
+    Microsoft.AspNetCore.Hosting will not receive any more updates for net452 or net46. 
+    -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />
   </ItemGroup>
 
 
   <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' OR '$(TargetFramework)' == 'net461' ">
     <PackageReference Include="Microsoft.AspNetCore.Hosting" Version="2.1.1" />
+
+
+    <!--
+    Microsoft.AspNetCore.Http has a vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1045
+    This is an implicit dependency from Microsoft.AspNetCore.Hosting.
+    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Http)
+    Taking a dependency on Microsoft.AspNetCore.Hosting v2.2.0 would resolve this issue, but would also break support for NetCore v2.1.
+    Instead I'm taking a direct dependency on the fixed version Microsoft.AspNetCore.Http.
+    We can remove this when NetCore v2.1 reaches EOL on August 21, 2021.
+    -->
+    <PackageReference Include="Microsoft.AspNetCore.Http" Version="2.1.22" />
+
+    <!-- 
+    System.Text.Encodings.Web has a vulnerability https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701 
+    This is an implicit dependency from Microsoft.AspNetCore.Hosting.
+    (Microsoft.AspNetCore.Hosting > Microsoft.AspNetCore.Hosting.Abstractions > Microsoft.AspNetCore.Http.Abstractions > System.Text.Encodings.Web)
+    We must take a temporary dependency on this newer version until Microsoft.AspNetCore.Hosting updates their dependencies.
+    -->
+    <PackageReference Include="System.Text.Encodings.Web" Version="4.5.1" />
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netstandard2.0' ">

diff --git a/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj b/NETCORE/test/IntegrationTests.Tests/IntegrationTests.Tests.csproj
@@ -21,6 +21,9 @@
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="16.9.4" />
 
     <ProjectReference Include="..\IntegrationTests.WebApp\IntegrationTests.WebApp.csproj" />
+
+    <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
+    <PackageReference Include="System.Security.Permissions" Version="4.7.0" />
   </ItemGroup>
 
   <ItemGroup>
@@ -38,7 +41,7 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1'">
-    <PackageReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.27" />
     <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="2.1.1" />
   </ItemGroup>
 

diff --git a/NETCORE/test/IntegrationTests.WebApp/IntegrationTests.WebApp.csproj b/NETCORE/test/IntegrationTests.WebApp/IntegrationTests.WebApp.csproj
@@ -9,8 +9,11 @@
   </ItemGroup>
 
   <ItemGroup Condition="'$(TargetFramework)' == 'netcoreapp2.1'">
-    <PackageReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="Microsoft.AspNetCore.App" Version="2.1.27" />
     <PackageReference Include="Microsoft.AspNetCore.Razor.Design" Version="2.1.2" PrivateAssets="All" />
+
+    <PackageReference Include="System.Runtime.CompilerServices.Unsafe" Version="5.0.0" />
+    <PackageReference Include="System.Security.Permissions" Version="4.7.0" />
   </ItemGroup>
 
 </Project>