Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug Report] Update DotNetty and Newtonsoft.Json dependencies in 1.36.6 #2962

Closed
damonbarry opened this issue Nov 15, 2022 · 4 comments
Closed

[Bug Report] Update DotNetty and Newtonsoft.Json dependencies in 1.36.6 #2962

damonbarry opened this issue Nov 15, 2022 · 4 comments
Assignees
@schoims
Labels
bug Something isn't working. IoTSDK Tracks all IoT SDK issues across the board

Comments

@damonbarry
Copy link
Member

Context

  • OS, version, SKU and CPU architecture used: Linux amd64, arm32v7, arm64v8
  • Application's .NET Target Framework : .NET 6.0
  • SDK version used: 1.36.6

Description of the issue

IoT Edge 1.4 LTS currently uses Microsoft.Azure.Devices.Client 1.36.6. We recently had to update transitive dependencies on DotNetty and Newtonsoft.Json through the SDK to fix known security bugs in those libraries. Our changes were a temporary workaround; we plan to remove them once the SDK has updated its references to DotNetty and Newtonsoft.Json.

See Azure/iotedge#6762 and Azure/iotedge#6699.
@damonbarry damonbarry added the bug Something isn't working. label Nov 15, 2022
@github-actions github-actions bot added the IoTSDK Tracks all IoT SDK issues across the board label Nov 15, 2022
@schoims schoims self-assigned this Nov 16, 2022
@schoims
Copy link
Contributor

schoims commented Nov 16, 2022

Thank you for bringing this to our attention. We will release the fix soon.

@schoims
Copy link
Contributor

schoims commented Jan 18, 2023
edited
Loading

Hello,

We upgraded DotNetty to a newer version in this PR (#2970) for LTS.

We were considering upgrading the version of Newtonsoft.Json to the latest major version, but we also do not want to be forcing customers to a latest dependency. Instead, we introduced safe defaults for the maxDepth parameter in the JsonSerializerSettings in this PR (#3045) as suggested by this link Improper Handling of Exceptional Conditions in Newtonsoft.Json · GHSA-5crp-9r3c-p9vr · GitHub Advisory Database) to mitigate a vulnerability. IoT Edge LTS should have an updated transitive dependency on Newtonsoft.Json.

Thank you.

@damonbarry
Copy link
Member Author

@schoims Great! Will there be a 1.36.7 release published to nuget soon?

@schoims
Copy link
Contributor

schoims commented Jan 25, 2023

@damonbarry The new LTS packages are released. https://github.com/Azure/azure-iot-sdk-csharp/releases/tag/lts_2021-3-18_patch7

@schoims schoims closed this as completed Jan 25, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@schoims schoims

Labels
bug Something isn't working. IoTSDK Tracks all IoT SDK issues across the board
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@damonbarry @schoims