Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: No CVE free Azure.Identity 1.3.x available for consumption in e.g. Microsoft.Data.SqlClient 3.1.x #2312

Closed
jsquire opened this issue Jan 22, 2024 · 2 comments
Closed

Security: No CVE free Azure.Identity 1.3.x available for consumption in e.g. Microsoft.Data.SqlClient 3.1.x #2312

jsquire opened this issue Jan 22, 2024 · 2 comments
Labels
🚫 Won't Fix Issues that will not be worked on

Comments

@jsquire
Copy link
Member

jsquire commented Jan 22, 2024

Issue Transfer

This issue has been transferred from the Azure SDK for .NET repository, #41448.

Please be aware that @simdanne is the author of the original issue and include them for any questions or replies.

Details

Describe the bug

Hi,
The still supported Microsoft.Data.SqlClient has a dependency on Azure.Identity >=1.3.0.

The recently released 3.1.5 version of this thereby still pulls in a version of Azure.Identity that has open CVEs against it (CVE-2023-36414).

I would expect that Azure.Identity team provides a bugfix release of 1.3.x, so the Microsoft.Data.SqlClient can release a 3.1.x that pulls a fixed version in. Upgrading to another minor version that has the fix is impossible for Microsoft.Data.SqlClient since Azure.Identity in already released fixed versions have way different depedencies clashing with MDS.

see #2296 for reference.
@jsquire jsquire mentioned this issue Jan 22, 2024
Closed
@simdanne
Copy link

Okay now that we have gone full circle, i hope the PR #2247 will get some traction.
From the outside this looks very unfortunate.
SqlClient should not depend on libraries that are not supported through the officially supported lifetime of SqlClient itself. I understand for this CVE it might not matter much (since SqlClient users are not actually exposed to this, but this could have been different).

@JRahnama JRahnama added the 🆕 Triage Needed For new issues, not triaged yet. label Jan 22, 2024
@kf-gonzalez
Copy link

@simdanne the suggested solution for this is upgrading to MDS 5.1. That is using a newer version of Azure.Identity

@kf-gonzalez kf-gonzalez closed this as not planned Won't fix, can't repro, duplicate, stale Jan 23, 2024
@kf-gonzalez kf-gonzalez added 🚫 Won't Fix Issues that will not be worked on and removed 🆕 Triage Needed For new issues, not triaged yet. labels Jan 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🚫 Won't Fix Issues that will not be worked on
Projects
SqlClient Triage Board
Status: Closed
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jsquire @JRahnama @simdanne @kf-gonzalez