-
Notifications
You must be signed in to change notification settings - Fork 857
Add direct reference to System.Text.Encodings.Web version 4.7.2 due to CVE-2021-26701 #4390
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
CodeBlanch
merged 6 commits into
open-telemetry:main
from
jrebagliatti:jrebagliatti/CVE-2021-26701
Apr 17, 2023
Merged
Changes from 2 commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
ff08a32
Bump System.Text.Json version to 5.0.2 due to CVE-2021-26701
jrebagliatti 0d0c3ee
Update changelogs
jrebagliatti cfc2592
Revert "Bump System.Text.Json version to 5.0.2 due to CVE-2021-26701"
jrebagliatti a547e61
Add direct reference to System.Text.Encodings.Web min version 4.7.2
jrebagliatti 4558595
Merge remote-tracking branch 'origin/main' into jrebagliatti/CVE-2021…
jrebagliatti f521bd5
Fix markdownlint
jrebagliatti File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't looked into the versioning story. Do we know if
5.*.*is backward compatible with4.7.*and if folks can just bump the version?If the answer is no, we probably need different versions depending on the target runtime version:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I got some advice from the owner of
System.Text.JsonandSystem.Text.Encoding.Web:System.Text.Jsonmight give trouble to users who rely on certain features that were affected by these breaking changes.System.Text.Encoding.Webversion bump is very backward compatible (so we don't expect any surprise due to breaking changes).Given the above information, I suggest that we don't make the
System.Text.Jsonversion bump, instead, we add explicit dependency toSystem.Text.Encoding.Weband enforce the versions which have fixed the security vulnerabilities.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@reyang based on your comments, I've reverted the version bump of
System.Text.Jsonand added a direct reference toSystem.Text.Encodings.Webversion4.7.2to the following projects:Exporter.ConsoleExporter.JaegerExporter.ZipkinInstrumentation.Http.Testsis also referencingSystem.Text.Json, but apparently it's using version6.0.5which references version>6.0.0ofSystem.Text.Encodings.Webwhich is not affected by the vulnerability.I see, however, that there's at least one other library referencing a vulnerable version of
System.Text.Encodings.Web:OpenTelemetry.Instrumentation.AspNetCore->Microsoft.AspNetCore.Http.Abstractions/2.1.1->System.Text.Encodings.Web/4.5.0In this case I think the solution should be to add a direct reference to
System.Text.Encodings.Web/4.5.1(patched version) as there's no otherMicrosoft.AspNetCore.Http.Abstractions/2.1.xminor release that fix the issue (actually, latest version,2.2.0, doesn't fix it either).If you want me to do the change, please advise how should I proceed as I'm not familiarized with the project's dependency management.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrebagliatti I suggest that we address this in a separate PR.
@vishweshbankwar Would you look into the
OpenTelemetry.Instrumentation.AspNetCorepart?