Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump System.Text.Json version due to CVE-2021-26701 #3789

Merged
merged 3 commits into from
Oct 19, 2022

Conversation

reyang
Copy link
Member

@reyang reyang commented Oct 19, 2022

Fixes #3735.

Read more: dotnet/runtime#49377

@reyang reyang requested a review from a team October 19, 2022 04:46
@cijothomas
Copy link
Member

Could you please add changelog entry?

@codecov
Copy link

codecov bot commented Oct 19, 2022

Codecov Report

Merging #3789 (b216ffd) into main (5f962a1) will increase coverage by 0.01%.
The diff coverage is n/a.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #3789      +/-   ##
==========================================
+ Coverage   87.33%   87.34%   +0.01%     
==========================================
  Files         281      281              
  Lines       10758    10758              
==========================================
+ Hits         9395     9397       +2     
+ Misses       1363     1361       -2     
Impacted Files Coverage Δ
...lementation/SqlClientInstrumentationEventSource.cs 70.83% <0.00%> (-4.17%) ⬇️
...p/Implementation/HttpInstrumentationEventSource.cs 72.00% <0.00%> (-4.00%) ⬇️
...Telemetry/Internal/SelfDiagnosticsEventListener.cs 97.65% <0.00%> (+0.78%) ⬆️
...metryProtocol/Implementation/ActivityExtensions.cs 96.21% <0.00%> (+1.08%) ⬆️
...emetry.Api/Internal/OpenTelemetryApiEventSource.cs 79.41% <0.00%> (+2.94%) ⬆️

@cijothomas cijothomas merged commit 6d6222f into open-telemetry:main Oct 19, 2022
CodeBlanch added a commit that referenced this pull request Oct 24, 2022
* [Logs] Fix buffered log scopes being reused (#3731)

* Fix buffered log scopes being reused.

* CHANGELOG update.

* Test fixes.

Co-authored-by: Cijo Thomas <cithomas@microsoft.com>

* clarify that Prometheus HttpListner is not for production at this moment (#3737)

* [HttpClient] Export spans corresponding to retries (#3732)

* Minor update to OTLP readme (#3739)

* Nit fixes to prometheus readme

* Add minor clarification about OTLP logs

* Update workflow (#3741)

* Minor improvement to log message (#3742)

* [SDK + Jaeger] Support loading environment variables from IConfiguration in Traces & Metrics (#3720)

* Support retrieval of environment variables through IConfiguration in SDK.

* Update Jaeger to load environment variables through IConfiguration.

* Warning fix.

* CHANGELOG patch.

* Bug fixes.

* Warning cleanup.

* Code review.

* [Zipkin] Support loading envvars from IConfiguration (#3759)

* Support loading envvars from IConfiguration in Zipkin exporter.

* CHANGELOG patch.

* SqlClient Instrumentation to leverage native Activity Status. (#3751)

* [Metrics] Update default buckets for Explicit Bucket Histogram from spec (#3722)

* [Logs] Fix: Respect AttributeValueLengthLimit when building otlp LogRecord data (#3684)

* Respect SdkConfiguration.AttributeValueLengthLimit so otlp data points are not rejected by monitoring tools

* Respect maxAttributeCount and use OtlpKeyValueTransformer in AddStringAttribute and in AddIntAttribute

* Extend CHANGELOG.md

Co-authored-by: Mikel Blanchard <mblanchard@macrosssoftware.com>

* Bump actions/setup-dotnet from 3.0.1 to 3.0.2 (#3764)

Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 3.0.1 to 3.0.2.
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](actions/setup-dotnet@v3.0.1...v3.0.2)

---
updated-dependencies:
- dependency-name: actions/setup-dotnet
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* [Repo] Attempting to stabilize the API Compatibility CI job (#3766)

* Attempting to stablize the API Compatibility CI.

* Tweak.

* More logging.

* Increase build logging level for api compat ci job.

* Tweak.

* Tweak.

* Revert extra logging in ci job.

* Switched some logging back to debug.

* Adding MinMax to Histograms (#2735)

* Logging state during building of TracerProvider (#3746)

* [HttpClient] Add unit tests for `RecordException` case (#3761)

* Add a separate example project for Logs redaction (#3744)

* Update CHANGELOG for 1.4.0-beta.2 release (#3772)

* [SDK + Otlp] Support loading envvars from IConfiguration (#3760)

* Updated Otlp Trace & Metrics exporters to load envvars from IConfiguration.

* Patch CHANGELOGs.

* Fix up otlp log exporter for SdkOptions changes.

* Revert SdkOptions public api.

* Restore tests.

* Fix benchmarks.

* SdkLimitOptions IConfiguration test.

* OtlpExporterOptions IConfiguration test.

* MetricReaderOptions IConfiguration test.

* Bug fix.

* Nit.

* [SqlClient] Add support for Filter expression (#3743)

* [SDK, Jaeger, Zipkin, & Otlp] Support loading envvars for BatchExportActivityProcessorOptions from IConfiguration (#3776)

* Support loading envvars for ExportActivityProcessorOptions & BatchExportActivityProcessorOptions from IConfiguration.

* Update src/OpenTelemetry/CHANGELOG.md

Co-authored-by: Piotr Kiełkowicz <pkiekowicz@splunk.com>

* Patch CHANGELOG.

* Unit test.

Co-authored-by: Cijo Thomas <cithomas@microsoft.com>
Co-authored-by: Piotr Kiełkowicz <pkiekowicz@splunk.com>

* Remove Env from CI `DOTNET_MULTILEVEL_LOOKUP = 1` (#3779)

* Link to .NET docs about different ports (#3704)

* Update DS to rc2 (#3781)

* ConsoleLogExporter to output full exception (#3784)

* [ASP.NET Core] Add back netstandard2.0 and 2.1 targets (#3755)

* [HttpClient] Add back netstandard2.0 target (#3787)

* Add back netstandard2.0 target

* changelog

* public api files

* Bump System.Text.Json version due to CVE-2021-26701 (#3789)

* Auto-generated Semantic Conventions (#2069)

* [SDK] Support dependency injection in ResourceBuilder and load envvars from IConfiguration (#3782)

* Add Vishwesh as an Approver (#3783)

Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>

* Move more SDK docs to docs folder (#3794)

* [Prometheus AspNetCore] Support named options in pipeline extensions (#3780)

* Support named options in Prometheus AspNetCore pipeline extensions.

* Patch CHANGELOG.

Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>

* [Logs] UnitTest: LogRecord attribute limits (#3758)

* Unittest for LogRecord attribute limits

* Remove maxValueLength from LogRecordExtensions.AddIntAttribute.

Change requested from #3684 (comment)

* Pr commits addressed

Co-authored-by: Mikel Blanchard <mblanchard@macrosssoftware.com>

* Add MinMax to console and doc additions (#3795)

* Mark private and internal classes as sealed (#3799)

Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>

* Move more docs to docs folder (#3801)

* [ASP.NET Core] Update enrich callbacks to use specific type. (#3749)

* [Http] Update enrich callbacks for http (#3792)

* [SDK] Support dependency injection in the GetDefaultResource API (#3798)

* Support dependency injection in the GetDefaultResource API.

* CHANGELOG patch.

* Test tweaks.

Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>

* Fix circular reference issue building up tracer provider. (#3803)

* [SDK] Add some missing nullable annotations (#3796)

* Added some missing nullable annotations in SDK.

* Handle null span names in SamplingParameters.

* Warning cleanup.

* Warning cleanup.

* Added link to issue in comment.

Co-authored-by: Alan West <3676547+alanwest@users.noreply.github.com>

* Guard.Range now uses invariant culture for error message (#3778)

Co-authored-by: Utkarsh Umesan Pillai <utpilla@microsoft.com>

* Fix circular reference issue building up meter provider. (#3806)

Co-authored-by: Utkarsh Umesan Pillai <utpilla@microsoft.com>

* Add missing end of code block backticks (#3807)

* More doc tweaks (#3805)

* More doc tweaks

* remove draft staatus

* Update grpc client enrich callbacks (#3804)

* Port refactor from main-logs branch. (#3808)

Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>

* Merge fixes.

* Merge fixes.

* Merge fix.

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Cijo Thomas <cithomas@microsoft.com>
Co-authored-by: Reiley Yang <reyang@microsoft.com>
Co-authored-by: Vishwesh Bankwar <vishweshbankwar@users.noreply.github.com>
Co-authored-by: Cijo Thomas <cijo.thomas@gmail.com>
Co-authored-by: Yun-Ting Lin <yunl@microsoft.com>
Co-authored-by: Sebastian Schoder Moreno <35150382+schoder-moreno@users.noreply.github.com>
Co-authored-by: Jonathan Wilhelm <Jonathan.wilhelm@sage.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Michael Maxwell <micmax@microsoft.com>
Co-authored-by: ggoel <gaurav.goel111@gmail.com>
Co-authored-by: Utkarsh Umesan Pillai <utpilla@microsoft.com>
Co-authored-by: Pavel Steinl <pavel.steinl@gmail.com>
Co-authored-by: Piotr Kiełkowicz <pkiekowicz@splunk.com>
Co-authored-by: aristotelos <arisvd@gmail.com>
Co-authored-by: Joao Grassi <joao@joaograssi.com>
Co-authored-by: Alan West <3676547+alanwest@users.noreply.github.com>
Co-authored-by: benhall_io <3179852+benbhall@users.noreply.github.com>
@jrebagliatti
Copy link
Contributor

Hey @reyang @cijothomas @Kielek , I think the vulnerability referenced (CVE-2021-26701) has not been resolved by bumping System.Text.Json to 4.7.2, as that version is still referencing System.Text.Encodings.Web 4.7.1, which was tagged as affected by CVE-2021-26701.

If you're ok I can create a new PR bumping System.Text.Json to version 5.0.2 which references a fixed version of that package (5.0.1). Although I don't know what's your policy regarding updating major version of your dependencies.

System.Text.Json@4.7.2 references System.Text.Encodings.Web@4.7.1 which is vulnerable (>= 4.6.0, < 4.7.2)
System.Text.Json@5.0.2 references System.Text.Encodings.Web@5.0.1 which is a patched version of 5.0.0 (also vulnerable)

@reyang reyang deleted the reyang/CVE-2021-26701 branch April 13, 2023 15:25
@reyang
Copy link
Member Author

reyang commented Apr 13, 2023

@jrebagliatti please send a PR and we can use that to discuss what's the proper fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Snyk.io reports Critical Security Vulnerability in all versions of OpenTelementry.Exporter.Console
4 participants