From 70388e7e8de3913720bff3ffaf7649a03c2199ec Mon Sep 17 00:00:00 2001 From: Vishwesh Bankwar Date: Mon, 17 Apr 2023 19:41:16 -0700 Subject: [PATCH 1/3] Fix `System.Text.Encodings.Web` vulnerability --- src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md | 7 +++++++ .../OpenTelemetry.Instrumentation.AspNetCore.csproj | 2 ++ 2 files changed, 9 insertions(+) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md index 07e13a8f5fc..8efeb9070e0 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md @@ -2,6 +2,13 @@ ## Unreleased +* Added direct reference to `System.Text.Encodings.Web` with minimum version of +`4.7.2` due to [CVE-2021-26701](https://github.com/dotnet/runtime/issues/49377). +This impacts target frameworks `netstandard2.0` and `netstandard2.1` which has a +dependency on `Microsoft.AspNetCore.Http.Abstractions` which depends on +`System.Text.Encodings.Web` >= 4.5.0. +([#]()) + * Improve perf by avoiding boxing of common status codes values. ([#4360](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4360), [#4363](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4363)) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj index 81cde3fb4c2..741700c518c 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj @@ -21,11 +21,13 @@ + + From 91c21420feb159a1a2ccaae6452493c393802542 Mon Sep 17 00:00:00 2001 From: Vishwesh Bankwar Date: Mon, 17 Apr 2023 19:42:15 -0700 Subject: [PATCH 2/3] PR # --- src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md index 8efeb9070e0..5aed404f3a9 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md @@ -7,7 +7,7 @@ This impacts target frameworks `netstandard2.0` and `netstandard2.1` which has a dependency on `Microsoft.AspNetCore.Http.Abstractions` which depends on `System.Text.Encodings.Web` >= 4.5.0. -([#]()) +([#4399](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4399)) * Improve perf by avoiding boxing of common status codes values. ([#4360](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4360), From 63a79401ef74a3f661de0413487157136f210059 Mon Sep 17 00:00:00 2001 From: Vishwesh Bankwar Date: Mon, 17 Apr 2023 19:43:17 -0700 Subject: [PATCH 3/3] reword --- src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md index 5aed404f3a9..714fb1be31a 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md @@ -5,7 +5,7 @@ * Added direct reference to `System.Text.Encodings.Web` with minimum version of `4.7.2` due to [CVE-2021-26701](https://github.com/dotnet/runtime/issues/49377). This impacts target frameworks `netstandard2.0` and `netstandard2.1` which has a -dependency on `Microsoft.AspNetCore.Http.Abstractions` which depends on +reference to `Microsoft.AspNetCore.Http.Abstractions` that depends on `System.Text.Encodings.Web` >= 4.5.0. ([#4399](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4399))