New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump System.Security.Cryptography.Xml version to address CVE-2023-29331 #55304
Bump System.Security.Cryptography.Xml version to address CVE-2023-29331 #55304
Conversation
27293c6
to
fffda74
Compare
I'm not at my desk to check. Is this a transitive dependency that we're only directly depending on in order to pull it forward for the CVE? If so updating it is only a nice to have, if I understand correctly. |
Even if it's transitive, RepoTasks is a tool, not a library, so we have to fix it either way |
@MichaelSimons @mthalman was System.Security.Crytpo.Xml 6.0.0 (and its dependencies) already special-cased for source-build? They're not in our repo baseline |
System.Security.Crytpo.Xml 6.0.1 was being supplied by SBRP. With this change, the 8.0 version and its dependencies would need to be added. (instructions). |
/azp run |
Azure Pipelines successfully started running 3 pipeline(s). |
Thank you, I'll look into this. |
Gotcha, agreed. |
https://dev.azure.com/dnceng-public/public/_componentGovernance/201695/alert/7938738?typeId=21448446