MessagePack: InterfaceLookupFormatter uses default comparer instead of security-aware comparer

InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>().

Applications that deserialize untrusted payloads into schemas containing ILookup<TKey,TElement> with a key type for which attacker-controlled hash collisions are feasible.

Upgrade MessagePack to the patched version for your release line and upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.