-
Notifications
You must be signed in to change notification settings - Fork 262
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New release to fix CVE-2024-21319 in transitive dependency #2315
Comments
Duplicate of #2299 |
Can we get this backported to 5.1.x please? |
@swythan Yes, I think it will be in 5.1.5 |
This is being addressed in preview 5 |
So not in 5.1.5? |
@ErikEJ Is there a public tracker for "hotfixes destined for backporting" that we can follow? Also is there any way to predict when there might be a patch release? At the moment issues keep getting closed but the 5.1 branch doesn't have the dependency update, so you can see why people are still asking. |
But maybe @DavoudEshtehari can give some hints about the plans? |
@swythan it will be included in M.D.SqlClient v5.2.0-preview5 and will be backported to hot fix release of 5.1.5. Preview5 is going out today or tomorrow, for 5.1.5 DTBD, it should not take long in my opinion. |
Thanks. Is there a reason there's no open issue for backporting it? How is that tracked? |
@swythan PRs that are marked for back porting to a hotfix version are in Project section. for this fix it is in SqlClient v5.1.5 hotfix project. |
Perfect. Just what I was looking for. Thanks @JRahnama |
Please release a new version of Microsoft.Data.SqlClient (5.1.5 or 5.2.0 for example) and fix the
CVE-2024-21319 in transitive dependencies.
Microsoft.Data.SqlClient 5.14
Microsoft.IdentityModel.Protocols.OpenIdConnect 6.24.0which references System.IdentityModel.Tokens.Jwt 6.24.0 which has also CVE-2024-21319
Quick fix for now:
The text was updated successfully, but these errors were encountered: