From bfb3e453ee2b8e3416719166c9708dbb090de9e6 Mon Sep 17 00:00:00 2001 From: Vishwesh Bankwar Date: Wed, 19 Apr 2023 16:33:39 -0700 Subject: [PATCH] [ASP.NET Core] Fix `System.Text.Encodings.Web` vulnerability (#4399) --- src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md | 7 +++++++ .../OpenTelemetry.Instrumentation.AspNetCore.csproj | 2 ++ 2 files changed, 9 insertions(+) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md index 07e13a8f5fc..714fb1be31a 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/CHANGELOG.md @@ -2,6 +2,13 @@ ## Unreleased +* Added direct reference to `System.Text.Encodings.Web` with minimum version of +`4.7.2` due to [CVE-2021-26701](https://github.com/dotnet/runtime/issues/49377). +This impacts target frameworks `netstandard2.0` and `netstandard2.1` which has a +reference to `Microsoft.AspNetCore.Http.Abstractions` that depends on +`System.Text.Encodings.Web` >= 4.5.0. +([#4399](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4399)) + * Improve perf by avoiding boxing of common status codes values. ([#4360](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4360), [#4363](https://github.com/open-telemetry/opentelemetry-dotnet/pull/4363)) diff --git a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj index 81cde3fb4c2..741700c518c 100644 --- a/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj +++ b/src/OpenTelemetry.Instrumentation.AspNetCore/OpenTelemetry.Instrumentation.AspNetCore.csproj @@ -21,11 +21,13 @@ + +