Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump System.Security.Cryptography.Xml version to address CVE-2023-29331 #55304

Merged
merged 2 commits into from May 6, 2024
Merged

Bump System.Security.Cryptography.Xml version to address CVE-2023-29331 #55304

merged 2 commits into from May 6, 2024

Conversation

RussKie
Copy link
Member

@RussKie RussKie commented Apr 23, 2024

@RussKie RussKie requested review from wtgodbe and a team as code owners April 23, 2024 03:28
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework label Apr 23, 2024
@RussKie RussKie enabled auto-merge (squash) April 23, 2024 03:29
@RussKie RussKie force-pushed the igveliko/bump_System.Security.Cryptography.Xml_version branch from 27293c6 to fffda74 Compare April 23, 2024 03:37
@danmoseley
Copy link
Member

I'm not at my desk to check. Is this a transitive dependency that we're only directly depending on in order to pull it forward for the CVE? If so updating it is only a nice to have, if I understand correctly.

@wtgodbe
Copy link
Member

wtgodbe commented Apr 23, 2024

I'm not at my desk to check. Is this a transitive dependency that we're only directly depending on in order to pull it forward for the CVE? If so updating it is only a nice to have, if I understand correctly.

Even if it's transitive, RepoTasks is a tool, not a library, so we have to fix it either way

@wtgodbe
Copy link
Member

wtgodbe commented Apr 23, 2024

/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Formats.Asn1.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Pkcs.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Xml.8.0.0

@MichaelSimons @mthalman was System.Security.Crytpo.Xml 6.0.0 (and its dependencies) already special-cased for source-build? They're not in our repo baseline

@MichaelSimons
Copy link
Member

/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Formats.Asn1.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Pkcs.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Xml.8.0.0

@MichaelSimons @mthalman was System.Security.Crytpo.Xml 6.0.0 (and its dependencies) already special-cased for source-build? They're not in our repo baseline

System.Security.Crytpo.Xml 6.0.1 was being supplied by SBRP. With this change, the 8.0 version and its dependencies would need to be added. (instructions).

@RussKie
Copy link
Member Author

RussKie commented Apr 23, 2024

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 3 pipeline(s).

@RussKie
Copy link
Member Author

RussKie commented Apr 23, 2024

/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Formats.Asn1.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Pkcs.8.0.0
/__w/1/s/.packages/microsoft.dotnet.arcade.sdk/9.0.0-beta.24212.4/tools/SourceBuild/AfterSourceBuild.proj(81,5): error : System.Security.Cryptography.Xml.8.0.0

@MichaelSimons @mthalman was System.Security.Crytpo.Xml 6.0.0 (and its dependencies) already special-cased for source-build? They're not in our repo baseline

System.Security.Crytpo.Xml 6.0.1 was being supplied by SBRP. With this change, the 8.0 version and its dependencies would need to be added. (instructions).

Thank you, I'll look into this.

@danmoseley
Copy link
Member

Even if it's transitive, RepoTasks is a tool, not a library, so we have to fix it either way

Gotcha, agreed.

@RussKie RussKie mentioned this pull request Apr 24, 2024
Merged
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label May 3, 2024
@RussKie RussKie merged commit 70898a0 into main May 6, 2024
27 checks passed
@RussKie RussKie deleted the igveliko/bump_System.Security.Cryptography.Xml_version branch May 6, 2024 03:14
@dotnet-policy-service dotnet-policy-service bot added this to the 9.0-preview5 milestone May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danmoseley danmoseley danmoseley left review comments

@BrennanConroy BrennanConroy BrennanConroy left review comments

@javiercn javiercn javiercn approved these changes

@wtgodbe wtgodbe Awaiting requested review from wtgodbe wtgodbe is a code owner

Assignees
No one assigned
Labels
area-infrastructure Includes: MSBuild projects/targets, build scripts, CI, Installers and shared framework pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun
Projects
None yet
Milestone
9.0-preview5
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@RussKie @danmoseley @wtgodbe @MichaelSimons @javiercn @BrennanConroy