[repo] Mitigate vulnerabilities in System.Text.Json 8.0.4 package (#5891

)
open-telemetry · Oct 8, 2024 · 9b08508 · 9b08508
1 parent 66c2e4b
commit 9b08508
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -3,8 +3,10 @@
   <PropertyGroup>
     <ManagePackageVersionsCentrally>true</ManagePackageVersionsCentrally>
     <OTelLatestStableVer>1.9.0</OTelLatestStableVer>
+
+    <!-- Mitigate https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485. -->
     <SystemTextEncodingsWebOutOfBandMinimumCoreAppVer>8.0.0</SystemTextEncodingsWebOutOfBandMinimumCoreAppVer>
-    <SystemTextJsonOutOfBandMinimumCoreAppVer>8.0.4</SystemTextJsonOutOfBandMinimumCoreAppVer>
+    <SystemTextJsonOutOfBandMinimumCoreAppVer>8.0.5</SystemTextJsonOutOfBandMinimumCoreAppVer>
   </PropertyGroup>
 
   <!--
@@ -59,6 +61,11 @@
   </ItemGroup>
 
   <ItemGroup>
+    <!--
+        Note: See TargetFrameworksRequiringSystemTextJsonDirectReference for the
+        list of targets where System.Text.Json direct reference is applied.
+    -->
+
     <!--
         We use conservative versions of these packages for older runtimes where
         an upgrade might introduce breaking changes. For example see:
@@ -67,7 +74,7 @@
     <PackageVersion Include="System.Text.Encodings.Web" Version="4.7.2" />
     <PackageVersion Include="System.Text.Json" Version="4.7.2" />
 
-    <!-- Bump System.Text.Json on NETCoreApp targets to mitigate https://github.com/advisories/GHSA-hh2w-p6rv-4g7w. -->
+    <!-- Newer NETCoreApp runtimes need to be redirected to safe versions. -->
     <PackageVersion Update="System.Text.Encodings.Web" Version="$(SystemTextEncodingsWebOutOfBandMinimumCoreAppVer)" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
     <PackageVersion Update="System.Text.Json" Version="$(SystemTextJsonOutOfBandMinimumCoreAppVer)" Condition="'$(TargetFrameworkIdentifier)' == '.NETCoreApp'" />
   </ItemGroup>

diff --git a/src/OpenTelemetry.Exporter.Console/CHANGELOG.md b/src/OpenTelemetry.Exporter.Console/CHANGELOG.md
@@ -7,9 +7,11 @@ Notes](../../RELEASENOTES.md).
 ## Unreleased
 
 * Added direct reference to `System.Text.Json` for the `net8.0` target with
-  minimum version of `8.0.4` in response to
-  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w).
-  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874))
+  minimum version of `8.0.5` in response to
+  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w) &
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874),
+  [#5891](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5891))
 
 ## 1.10.0-beta.1
 

diff --git a/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md b/src/OpenTelemetry.Exporter.Zipkin/CHANGELOG.md
@@ -7,9 +7,11 @@ Notes](../../RELEASENOTES.md).
 ## Unreleased
 
 * Added direct reference to `System.Text.Json` for the `net8.0` target with
-  minimum version of `8.0.4` in response to
-  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w).
-  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874))
+  minimum version of `8.0.5` in response to
+  [CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w) &
+  [CVE-2024-43485](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485).
+  ([#5874](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5874),
+  [#5891](https://github.com/open-telemetry/opentelemetry-dotnet/pull/5891))
 
 ## 1.10.0-beta.1