ASP.NET MVC security patch to version 3.0.0.1 breaks build [duplicate]

Question

This question already has an answer here:

• Windows update caused MVC3 and MVC4 stop working 9 answers

After installing the ASP.NET MVC 3 security update KB2990942 it appears the MVC version increased from 3.0.0.0 to 3.0.0.1. This causes Visual Studio to no longer find the reference.

<Reference Include="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />

Resharper does not show any problems but the build fails with lots of unresolved MVC types and a warning:

Warning: Could not resolve this reference. Could not locate the assembly "System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors.

This kind of makes sense. This version no longer exists on my machine.

I cannot guarantee the exact MVC version on dev machines, build servers and production servers. They might have 3.0.0.0 or 3.0.0.1 and this might change at any time. Windows Update might release new MVC versions at any time. Also, I don't want to increase the version number in all *.csproj files whenever an MVC update is released.

Multiple versions are affected by the update:

• KB 2993939: Security Update for Microsoft ASP.NET MVC 2
• KB 2993937: Security Update for Microsoft ASP.NET MVC 3
• KB 2993928: Security Update for Microsoft ASP.NET MVC 4.0
• KB 2992080: Security Update for Microsoft ASP.NET MVC 5.0

The security bulletin: MS14-059: Vulnerability in ASP.NET MVC Could Allow Security Feature Bypass (2990942)

What's the best way to deal with this situation? How can I unbreak build and production and be safe regarding future MVC updates?

Answer 1

I fixed this by:

• Removing the MVC reference and add the correct reference to the project.
• Changing the Copy Local property of the reference to true.
• Update the bindingRedirect setting in web.config:

web.config runtime section:

<runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
        <dependentAssembly>
            <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" />
            <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.1" />
        </dependentAssembly>
    ...

Changing the Copy Local setting will include the System.Web.MVC.dll file in the bin folder when you publish the project, so that it works even if the server is not updated with the new version.

Note that updates like this rarely happens. This is the first time that MVC 3 has been patched since it was released. You should be able to change Copy Local back to false once the servers has been updated. The next time Microsoft makes an update like this, they will probably know to fix issues like this first.

Answer 2

I installed Microsoft.AspNet.Mvc package in my project using Nuget.

Install-Package Microsoft.AspNet.Mvc -Version <version> -Project PROJECTNAME 

MVC 4 version: 4.0.40804.0

MVC 3 version: 3.0.50813.1

This fixed the problem. Details here: http://blogs.msdn.com/b/webdev/archive/2014/10/16/microsoft-asp-net-mvc-security-update-broke-my-build.aspx

Answer 3

Your production system should be fine as the hotfix delivers a config file (System.Web.Mvc.dll.config) into the following folder:

%SystemRoot%\assembly\GAC_MSIL\policy.3.0.System.Web.Mvc\3.0.0.1__31bf3856ad364e35

The config file contains an assembly redirect to the new version, this will override anything you have in your web.config:

<?xml version="1.0"?>
<!-- http://msdn.microsoft.com/en-us/library/7wd6ex19.aspx#BKMK_Redirectingassemblyversionsbyusingpublisherpolicy -->
<configuration>
    <runtime>
        <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
            <dependentAssembly>
                <assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" culture="neutral" />
                <bindingRedirect oldVersion="3.0.0.0-3.0.0.1" newVersion="3.0.0.1"/>
            </dependentAssembly>
        </assemblyBinding>
    </runtime>
</configuration>

Follow the advice by @Guffa for your build system, or use nuget to update. I believe the solution which works depends on how you deliver the MVC binaries to your system (either bin deploy or GAC).

Answer 4

What worked in my case was to change the Reference element in project file so Version=3.0.0.0 is now Version=3.0.0.1. I also updated the System.Web.Mvc.dll file sitting in _bin_deployableAssemblies folder to the new version and added a HintPath element in the Reference element pointing to said dll so it's picked up even when in GAC we still have version 3.0.0.0.

The tricky part is to not forget to update reference in all projects referencing System.Web.Mvc (e.g. including test project).