Skip to content

[5.1.6] | CVE | Update Azure.Identity from 1.11.3 to 1.11.4 #2649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 25, 2024
Merged

[5.1.6] | CVE | Update Azure.Identity from 1.11.3 to 1.11.4 #2649

merged 2 commits into from
Jul 25, 2024

Conversation

@DavoudEshtehari
Copy link
Contributor

@DavoudEshtehari DavoudEshtehari commented Jul 3, 2024

Addresses CVE-2024-35255

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

@DavoudEshtehari Should I close #2578 then?

@DavoudEshtehari
Copy link
Contributor Author

DavoudEshtehari commented Jul 4, 2024

@ErikEJ Thank you for mentioning your PRs here. I hesitated to remove MIC on servicing versions.
@David-Engel What's your preference?

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

@DavoudEshtehari Agree, I will close my PRs

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 4, 2024

LGTM

@cremor
Copy link

cremor commented Jul 10, 2024

This was fixed in the main branch by #2577 Wouldn't it make sense to use that change for the 5.1 branch too?
Related question: #2568 (comment)

Also, here is a request to bump further: #1108 (comment)

@DavoudEshtehari
Copy link
Contributor Author

DavoudEshtehari commented Jul 10, 2024
edited
Loading

This was fixed in the main branch by #2577 Wouldn't it make sense to use that change for the 5.1 branch too? Related

This is already asked by Erik and he's agree with the argue.

@cremor
Copy link

cremor commented Jul 10, 2024

Ok, but what about #1108 (comment)?
If I understand that correctly then the Azure dependency currently causes SqlClient to depend on the Windows Desktop runtime. And that dependency also flows to EF Core. (And that is relevant here because EF Core depends on SqlClient v5.1.)

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 10, 2024

Have you tried adding an Explict reference to the latest version??

@cremor
Copy link

cremor commented Jul 10, 2024

Yes, I'm already doing that.
But still, if nothing speaks against it, the issue should be fixed here to spare others from losing time to it.

@SimonCropp
Copy link
Contributor

SimonCropp commented Jul 20, 2024

can we please get a patch out for this

@ErikEJ
Copy link
Contributor

ErikEJ commented Jul 20, 2024

@SimonCropp and others: Please read this: https://devblogs.microsoft.com/nuget/nugetaudit-2-0-elevating-security-and-trust-in-package-management/

In particular the section "Recommended way to resolve warnings"

@SimonCropp
Copy link
Contributor

SimonCropp commented Jul 20, 2024

@ErikEJ that doc is poorly worded. it should be phrased

the way to temporary work around a transitive CVE is to add a direct reference. then, when the transitive CVE is fixed, that direct reference can be removed

we are are now at the second part.

@DavoudEshtehari DavoudEshtehari merged commit f63ae8f into dotnet:release/5.1 Jul 25, 2024
@SimonCropp
Copy link
Contributor

SimonCropp commented Jul 25, 2024

if this is important enough to be included in a hotfix for an older version, doesnt it also qualify for a release of hotfix on the current version?

@cremor
Copy link

cremor commented Jul 25, 2024

@SimonCropp See #2648 (comment)

@cremor cremor mentioned this pull request Aug 20, 2024
Closed
@dependabot dependabot bot mentioned this pull request Nov 21, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dauinsight dauinsight Awaiting requested review from dauinsight

2 more reviewers

@JRahnama JRahnama JRahnama approved these changes

@arellegue arellegue arellegue approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@DavoudEshtehari @ErikEJ @cremor @SimonCropp @JRahnama @arellegue