Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[5.1.6] | CVE | Update Azure.Identity from 1.11.3 to 1.11.4 #2649

Merged
merged 2 commits into from
Jul 25, 2024
Merged

[5.1.6] | CVE | Update Azure.Identity from 1.11.3 to 1.11.4 #2649

merged 2 commits into from
Jul 25, 2024

Conversation

DavoudEshtehari
Copy link
Contributor

Addresses CVE-2024-35255

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

@DavoudEshtehari Should I close #2578 then?

@DavoudEshtehari
Copy link
Contributor Author

@ErikEJ Thank you for mentioning your PRs here. I hesitated to remove MIC on servicing versions.
@David-Engel What's your preference?

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

@DavoudEshtehari Agree, I will close my PRs

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

LGTM

@cremor
Copy link

cremor commented Jul 10, 2024

This was fixed in the main branch by #2577 Wouldn't it make sense to use that change for the 5.1 branch too?
Related question: #2568 (comment)

Also, here is a request to bump further: #1108 (comment)

@DavoudEshtehari
Copy link
Contributor Author

DavoudEshtehari commented Jul 10, 2024
edited
Loading

This was fixed in the main branch by #2577 Wouldn't it make sense to use that change for the 5.1 branch too? Related

This is already asked by Erik and he's agree with the argue.

@cremor
Copy link

cremor commented Jul 10, 2024

Ok, but what about #1108 (comment)?
If I understand that correctly then the Azure dependency currently causes SqlClient to depend on the Windows Desktop runtime. And that dependency also flows to EF Core. (And that is relevant here because EF Core depends on SqlClient v5.1.)

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 10, 2024

Have you tried adding an Explict reference to the latest version??

@cremor
Copy link

cremor commented Jul 10, 2024

Yes, I'm already doing that.
But still, if nothing speaks against it, the issue should be fixed here to spare others from losing time to it.

@SimonCropp
Copy link
Contributor

can we please get a patch out for this

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 20, 2024

@SimonCropp and others: Please read this: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

In particular the section "Recommended way to resolve warnings"

@SimonCropp
Copy link
Contributor

@ErikEJ that doc is poorly worded. it should be phrased

the way to temporary work around a transitive CVE is to add a direct reference. then, when the transitive CVE is fixed, that direct reference can be removed

we are are now at the second part.

@DavoudEshtehari DavoudEshtehari merged commit f63ae8f into dotnet:release/5.1 Jul 25, 2024
129 of 131 checks passed
@SimonCropp
Copy link
Contributor

if this is important enough to be included in a hotfix for an older version, doesnt it also qualify for a release of hotfix on the current version?

@cremor
Copy link

cremor commented Jul 25, 2024

@SimonCropp See #2648 (comment)

@cremor cremor mentioned this pull request Aug 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arellegue arellegue arellegue approved these changes

@JRahnama JRahnama JRahnama approved these changes

@dauinsight dauinsight Awaiting requested review from dauinsight

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@DavoudEshtehari @ErikEJ @cremor @SimonCropp @JRahnama @arellegue