Skip to content

port: Fix CVE-2021-26701 (#5355) #3451

New issue
New issue
Closed
Closed
port: Fix CVE-2021-26701 (#5355)#3451
Labels
ExemptFromDailyDRIReportUse this label to exclude the issue from the DRI report.needs-triageThe issue has just been created and it has not been reviewed by the team.parityThe issue describes a gap in parity between two or more platforms.
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 25, 2021

The changes in Fix CVE-2021-26701 (#5355) may need to be ported to maintain parity with microsoft/botbuilder-dotnet.

Refs https://github.com/dotnet/runtime/issues/49377#affected-software

Fixes #5356

Description

System.Text.Encodings.Web has security issues needs to be fixed.

Most of our libraries don't directly depend on this particular package, in most cases, we depend on it via asp.net core. And after .net core 3.0, the asp.net core is built-into .net core runtime, so usually user just have to update the .net core runtime in their end, we should be OK.

One exception is in this particular package, we depend on "Microsoft.ApplicationInsights.AspNetCore" and then later depend on this offending package via package reference, which can't be solved by updating runtime.

So, in this fix, i override the transient dependency directly.

See also microsoft/BotFramework-Composer#6548

After the fix
image

Please review and, if necessary, port the changes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    ExemptFromDailyDRIReportUse this label to exclude the issue from the DRI report.needs-triageThe issue has just been created and it has not been reviewed by the team.parityThe issue describes a gap in parity between two or more platforms.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions