Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New release to fix CVE-2024-21319 in transitive dependency #2315

Closed
304NotModified opened this issue Jan 23, 2024 · 11 comments
Closed

New release to fix CVE-2024-21319 in transitive dependency #2315

304NotModified opened this issue Jan 23, 2024 · 11 comments
Projects
SqlClient Triage Board

Comments

@304NotModified
Copy link

Please release a new version of Microsoft.Data.SqlClient (5.1.5 or 5.2.0 for example) and fix the
CVE-2024-21319 in transitive dependencies.

Microsoft.Data.SqlClient 5.14

Quick fix for now:

 <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.4" />
 <!-- Microsoft.Data.SqlClient 5.1.4 gives Microsoft.IdentityModel.JsonWebTokens dependency with CVE-2024-21319 -->
 <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.34.0" />
 <!-- Microsoft.Data.SqlClient 5.1.4 gives indirect  System.IdentityModel.Tokens.Jwt with CVE-2024-21319 -->
 <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.34.0" />
@ErikEJ
Copy link
Contributor

ErikEJ commented Jan 23, 2024

Duplicate of #2299

@swythan
Copy link

swythan commented Jan 23, 2024

Can we get this backported to 5.1.x please?

@ErikEJ
Copy link
Contributor

ErikEJ commented Jan 23, 2024

@swythan Yes, I think it will be in 5.1.5

@JRahnama JRahnama added this to Needs triage in SqlClient Triage Board via automation Jan 23, 2024
@kf-gonzalez
Copy link

This is being addressed in preview 5

SqlClient Triage Board automation moved this from Needs triage to Closed Jan 23, 2024
@304NotModified
Copy link
Author

304NotModified commented Jan 23, 2024
edited

This is being addressed in preview 5

So not in 5.1.5?

@swythan
Copy link

swythan commented Jan 24, 2024

@ErikEJ Is there a public tracker for "hotfixes destined for backporting" that we can follow? Also is there any way to predict when there might be a patch release?

At the moment issues keep getting closed but the 5.1 branch doesn't have the dependency update, so you can see why people are still asking.
https://github.com/dotnet/SqlClient/blob/release/5.1/tools/props/Versions.props#L33

@ErikEJ
Copy link
Contributor

ErikEJ commented Jan 24, 2024

@swythan I only have this

But maybe @DavoudEshtehari can give some hints about the plans?

@JRahnama
Copy link
Member

@swythan it will be included in M.D.SqlClient v5.2.0-preview5 and will be backported to hot fix release of 5.1.5. Preview5 is going out today or tomorrow, for 5.1.5 DTBD, it should not take long in my opinion.

@swythan
Copy link

swythan commented Jan 24, 2024

Thanks. Is there a reason there's no open issue for backporting it? How is that tracked?

@JRahnama
Copy link
Member

@swythan PRs that are marked for back porting to a hotfix version are in Project section. for this fix it is in SqlClient v5.1.5 hotfix project.

@swythan
Copy link

swythan commented Jan 24, 2024

Perfect. Just what I was looking for. Thanks @JRahnama

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
SqlClient Triage Board
  
Closed
Milestone
No milestone
Development

No branches or pull requests
5 participants
@swythan @ErikEJ @304NotModified @JRahnama @kf-gonzalez