port: Fix CVE-2021-26701 (#5355) #1089

github-actions · 2021-03-25T18:44:50Z

The changes in Fix CVE-2021-26701 (#5355) may need to be ported to maintain parity with microsoft/botbuilder-dotnet.

Refs https://github.com/dotnet/runtime/issues/49377#affected-software
Fixes #5356

Description

System.Text.Encodings.Web has security issues needs to be fixed.

Most of our libraries don't directly depend on this particular package, in most cases, we depend on it via asp.net core. And after .net core 3.0, the asp.net core is built-into .net core runtime, so usually user just have to update the .net core runtime in their end, we should be OK.

One exception is in this particular package, we depend on "Microsoft.ApplicationInsights.AspNetCore" and then later depend on this offending package via package reference, which can't be solved by updating runtime.

So, in this fix, i override the transient dependency directly.

See also microsoft/BotFramework-Composer#6548

After the fix

Please review and, if necessary, port the changes.

The text was updated successfully, but these errors were encountered:

LeeParrishMSFT · 2021-03-25T19:49:59Z

Not applicable as this is a .NET vulnerability and doesn't apply to Java.

github-actions bot added ExemptFromDailyDRIReport Use this label to exclude the issue from the DRI report. needs-triage The issue has just been created and it has not been reviewed by the team. parity The issue describes a gap in parity between two or more platforms. labels Mar 25, 2021

LeeParrishMSFT closed this as completed Mar 25, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

port: Fix CVE-2021-26701 (#5355) #1089

port: Fix CVE-2021-26701 (#5355) #1089

github-actions bot commented Mar 25, 2021

Description

LeeParrishMSFT commented Mar 25, 2021

port: Fix CVE-2021-26701 (#5355) #1089

port: Fix CVE-2021-26701 (#5355) #1089

Comments

github-actions bot commented Mar 25, 2021

Description

LeeParrishMSFT commented Mar 25, 2021