CG alert cleaning on VS17.10 #10724
Merged
CG alert cleaning on VS17.10 #10724
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Hello! I noticed that you're targeting one of our servicing branches. Please consider updating the version. |
YuliiaKovalova
approved these changes
Oct 9, 2024
… into exp/gaw/cg-fix17.10
JanKrivanek
added a commit
that referenced
this pull request
Dec 19, 2024
* Check version bump on release branches' update * Skip check version bump on release branch update for initial commit to release branch or the change from dotnet bot * Remove the exception for dependencies update by dotnet-maestro[bot] * Bump version * [automated] Merge branch 'vs17.9' => 'vs17.10' (#10081) * Dont ngen taskhost Fixes our lack of optprof data (#8737) Don't ngen TaskHosts * Bump version * Bump version * Update System.Security.Cryptography.Pkcs * Bump version * Workaround for incorrect encoding of PUA range in GB18030 Uri string (#9751) * [release/vs17.7] Onboard 1es templates (#9924) * bump arcade version * bump MicrosoftNetCompilersToolsetVersion * bump MicrosoftNetCompilersToolsetVersion * update sha for Microsoft.Net.Compilers.Toolset * update darc * update arcade channel .net 8 * update arcade * Changed pool image --------- Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com> Co-authored-by: Jan Krivanek <jankrivanek@microsoft.com> Co-authored-by: sujitnayak <sujitn@microsoft.com> Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com> Co-authored-by: YuliiaKovalova <ykovalova@microsoft.com> Co-authored-by: Surayya Huseyn Zada <shuseynzada@microsoft.com> Co-authored-by: Surayya Huseyn Zada <114938397+surayya-MS@users.noreply.github.com> Co-authored-by: Mariana Dematte <magarces@microsoft.com> * Disable localization for vs17.10 (#10269) Co-authored-by: Rainer Sigwald <raines@microsoft.com> * Enable private feeds for release branch (#10355) This PR enables MSBuild to take security fixes from MSBuild dependencies. * [vs17.10] Update dependencies from dotnet/arcade (#10809) * Update dependencies from https://github.com/dotnet/arcade build 20241008.1 Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24225.1 -> To Version 8.0.0-beta.24508.1 * Update Versions.props --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com> * CG alert cleaning on VS17.10 (#10724) * Bump Microsoft.IO.Redist to 6.0.1 * Bump System.Formats.Asn1 to 8.0.1 * [vs17.10] Update dependencies from dotnet/arcade (#10833) * [vs17.10] Update dependencies from dotnet/arcade (#10896) * [vs17.10] Update dependencies from dotnet/arcade (#10992) * Update dependencies from https://github.com/dotnet/arcade build 20241112.12 Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24525.2 -> To Version 8.0.0-beta.24562.12 * Update VersionPrefix to 17.10.13 * Try to resolve CI issue that could not find System.Text.Json, Version=8.0.0.4 * Revert "Try to resolve CI issue that could not find System.Text.Json, Version=8.0.0.4" This reverts commit 66381f3. * Update dependencies from https://github.com/dotnet/arcade build 20241120.5 Microsoft.SourceBuild.Intermediate.arcade , Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24525.2 -> To Version 8.0.0-beta.24570.5 * Reapply "Try to resolve CI issue that could not find System.Text.Json, Version=8.0.0.4" This reverts commit 2cffa88. --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: Gang Wang <v-gaw@microsoft.com> Co-authored-by: Surayya Huseyn Zada <shuseynzada@microsoft.com> * [automated] Merge branch 'vs17.8' => 'vs17.10' (#11124) * Dont ngen taskhost Fixes our lack of optprof data (#8737) Don't ngen TaskHosts * Bump version * Bump version * Update System.Security.Cryptography.Pkcs * Bump version * Workaround for incorrect encoding of PUA range in GB18030 Uri string (#9751) * [release/vs17.7] Onboard 1es templates (#9924) * bump arcade version * bump MicrosoftNetCompilersToolsetVersion * bump MicrosoftNetCompilersToolsetVersion * update sha for Microsoft.Net.Compilers.Toolset * CG alert cleaning on VS17.8 (#10725) * Bump Microsoft.IO.Redist to 6.0.1 * Bump System.Formats.Asn1 to 8.0.1 * Bump System.Text.Json to 8.0.0.4 * Bump the dependencies of System.Text.Json * Add System.Formats.Asn1 8.0.1 to the pre-built exception list * Bump version prefix to 17.8.8 * Updated System.Collection.Immutable package to v8 * Adding System.Collections.Immutable 8.0.0 to the pre-built exception list * Updated Version.Details.xml * [vs17.8] update arcade and fix build (#10838) * Update dependencies from https://github.com/dotnet/arcade build 20241008.1 Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.23425.2 -> To Version 8.0.0-beta.24508.1 Dependency coherency updates Microsoft.DotNet.XliffTasks From Version 1.0.0-beta.23423.1 -> To Version 1.0.0-beta.23475.1 (parent: Microsoft.DotNet.Arcade.Sdk * remove BuildXL from nuget config * compatibility suppressions * Update dependencies from https://github.com/dotnet/arcade build 20241… Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24508.1 -> To Version 8.0.0-beta.24516.1 * include PortableRuntimeIdentifierGraph.json * Suppress a warning IDE0305 * bump version --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: Jenny Bai <v-jennybai@microsoft.com> * [vs17.8] Sync internal and public branches (#10858) * Update dependencies from https://github.com/dotnet/arcade build 20241025.2 (#10894) * [vs17.8] Update dependencies from dotnet/arcade (#10986) * Update dependencies from https://github.com/dotnet/arcade build 20241112.12 Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24525.2 -> To Version 8.0.0-beta.24562.12 * Update VersionPrefix to 17.8.11 --------- Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: Surayya Huseyn Zada <114938397+surayya-MS@users.noreply.github.com> * Update dependencies from https://github.com/dotnet/arcade build 20241120.5 Microsoft.DotNet.Arcade.Sdk , Microsoft.DotNet.XUnitExtensions From Version 8.0.0-beta.24562.12 -> To Version 8.0.0-beta.24570.5 * Update VersionPrefix to 17.8.12 * [vs17.8] Backport VS insertion pipeline YMLs (#11066) Co-authored-by: Jan Provaznik <janprovaznik@microsoft.com> * Update .opt-prof.yml (#11112) * [vs17.8] Fix setting package versions in VS insertion (#11103) * fix setting package versions * use VS branch names in servicing package decision --------- Co-authored-by: Jan Provaznik <janprovaznik@microsoft.com> * Update vs/msbuild version (#11115) * Update vs/msbuild version * Bump version * Update xcopy-msbuild version to 17.8.5 (#11118) * Add inter-branch merge flow file (#11123) * Update .opt-prof.yml (#11121) * Bump up System.Text.Json to 8.0.5 (#11134) * Remove the change to CompatibilitySuppressions.xml * Remove unnecessary workaround for sdk 8.0.1xx bootstrap in the branch vs17.8 * Bump up version prefix to 17.10.14 --------- Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com> Co-authored-by: Jan Krivanek <jankrivanek@microsoft.com> Co-authored-by: sujitnayak <sujitn@microsoft.com> Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com> Co-authored-by: YuliiaKovalova <ykovalova@microsoft.com> Co-authored-by: Surayya Huseyn Zada <shuseynzada@microsoft.com> Co-authored-by: Surayya Huseyn Zada <114938397+surayya-MS@users.noreply.github.com> Co-authored-by: Gang Wang <v-gaw@microsoft.com> Co-authored-by: Jan Provazník <janprovaznik@microsoft.com> Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: Jenny Bai <v-jennybai@microsoft.com> Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * [vs17.10] Run tests even if version is not bumped (#11059) Co-authored-by: Jan Provaznik <janprovaznik@microsoft.com> * Bump up version prefix to 17.11.20 --------- Co-authored-by: Gang Wang <v-gaw@microsoft.com> Co-authored-by: Jan Krivanek <jankrivanek@microsoft.com> Co-authored-by: Surayya Huseyn Zada <114938397+surayya-MS@users.noreply.github.com> Co-authored-by: dotnet-maestro-bot <dotnet-maestro-bot@microsoft.com> Co-authored-by: Forgind <12969783+Forgind@users.noreply.github.com> Co-authored-by: sujitnayak <sujitn@microsoft.com> Co-authored-by: YuliiaKovalova <95473390+YuliiaKovalova@users.noreply.github.com> Co-authored-by: YuliiaKovalova <ykovalova@microsoft.com> Co-authored-by: Surayya Huseyn Zada <shuseynzada@microsoft.com> Co-authored-by: Mariana Dematte <magarces@microsoft.com> Co-authored-by: AR-May <67507805+AR-May@users.noreply.github.com> Co-authored-by: Rainer Sigwald <raines@microsoft.com> Co-authored-by: dotnet-maestro[bot] <42748379+dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: dotnet-maestro[bot] <dotnet-maestro[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jan Provazník <janprovaznik@microsoft.com> Co-authored-by: Jenny Bai <v-jennybai@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #
CVE-2024-38095, CVE-2024-38081
Summary
MSBuild 17.10 uses dependencies with known vulnerabilities.
Customer Impact
Using software without known vulnerabilities.
Regression?
No.
Testing
Existing automated tests.
Risk
Low - there are no functional changes.
Changes Made
Upgrade
Microsoft.IO.Redistfrom 6.0.0 to 6.0.1,System.Formats.Asn1from 8.0.0 to 8.0.1.