Skip to content

[5.1] CVE-2024-43485 - Update System.Text.Json to 6.0.11 #3279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Apr 17, 2025
Merged

[5.1] CVE-2024-43485 - Update System.Text.Json to 6.0.11 #3279

merged 5 commits into from
Apr 17, 2025

Conversation

paulmedynski
Copy link
Contributor

@paulmedynski paulmedynski commented Apr 16, 2025
edited
Loading

  • Added an explicit dependency on System.Text.Json 6.0.11 to avoid transitive CVE for .NET Framework.
  • Reorganized some PackageReference entries to be alphabetically ordered.
  • Fixed incorrect Microsoft.Extensions.Caching.Memory version in AKV .nuspec to suppress https://github.com/dotnet/SqlClient/security/dependabot/13
  • Fixed incorrect MDS versions in AKV .nuspec.
  • Fixed transitive downgrade of System.Text.Encodings.Web.
  • Added TSAUpload bug workaround to TSA options config.

@paulmedynski
Bug 34161: [Component Governance Alert] - CVE-2024-43485 in System.Te…
0dbd6ba 
…xt.Json 6.0.0. Severity: High

- Adding System.Text.Json v6.0.10 dependency for .NET Framework to avoid CVE.
@paulmedynski
CVE-2024-43483 - Update Microsoft.Extensions.Caching.Memory to 6.0.3 …
14f02c0 
…for AKV

- Updated the .nuspec for AKV to report MECM v6.0.3, which is what we're actually using.
@paulmedynski paulmedynski added this to the 5.1.7 milestone Apr 16, 2025
@paulmedynski paulmedynski requested a review from a team April 16, 2025 18:08
@paulmedynski paulmedynski changed the title CVE-2024-43485 - Update System.Text.Json to 6.0.10 [5.1] CVE-2024-43485 - Update System.Text.Json to 6.0.10 Apr 16, 2025
@cheenamalhotra
Copy link
Member

Could also use 6.0.11?

@codecov Codecov
Copy link

codecov bot commented Apr 17, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 71.02%. Comparing base (60fc661) to head (b91d81d).
Report is 1 commits behind head on release/5.1.

Additional details and impacted files 
@@               Coverage Diff               @@
##           release/5.1    #3279      +/-   ##
===============================================
- Coverage        71.89%   71.02%   -0.87%     
===============================================
  Files              293      293              
  Lines            61647    61647              
===============================================
- Hits             44323    43787     -536     
- Misses           17324    17860     +536
Flag Coverage Δ
addons 92.38% <ø> (ø)
netcore 75.88% <ø> (-0.22%) ⬇️
netfx 68.36% <ø> (-1.17%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paulmedynski
CVE-2024-43483 - Update Microsoft.Extensions.Caching.Memory to 6.0.3 …
de6c5aa 
…for AKV

- Updated System.Text.Json to 6.0.11
- Fixed MDS versions in AKV .nuspec
@paulmedynski paulmedynski changed the title [5.1] CVE-2024-43485 - Update System.Text.Json to 6.0.10 [5.1] CVE-2024-43485 - Update System.Text.Json to 6.0.11 Apr 17, 2025
@paulmedynski
CVE-2024-43483 - Update Microsoft.Extensions.Caching.Memory to 6.0.3 …
e53e52f 
…for AKV

- Fixed transitive downgrade of System.Text.Encodings.Web.
@paulmedynski paulmedynski requested a review from mdaigle April 17, 2025 17:20
@cheenamalhotra cheenamalhotra merged commit d47c51d into release/5.1 Apr 17, 2025
79 of 82 checks passed
@cheenamalhotra cheenamalhotra deleted the dev/paul/release/5.1-Json branch April 17, 2025 20:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cheenamalhotra cheenamalhotra Awaiting requested review from cheenamalhotra

@mdaigle mdaigle Awaiting requested review from mdaigle

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

5.1.7

Development

Successfully merging this pull request may close these issues.

3 participants

@paulmedynski @cheenamalhotra @mdaigle