You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@avro.apache.org by "Kalle Niemitalo (Jira)" <ji...@apache.org> on 2022/07/03 23:37:00 UTC

[jira] [Commented] (AVRO-3551) Security Vulnerability - WS-2022-0161 in Newtonsoft dependendy

    [ https://issues.apache.org/jira/browse/AVRO-3551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17561950#comment-17561950 ] 

Kalle Niemitalo commented on AVRO-3551:
---------------------------------------

versions.props defines two MSBuild properties for the version of Newtonsoft.Json:

- [<NewtonsoftJsonVersion>12.0.3</NewtonsoftJsonVersion>|https://github.com/apache/avro/blob/4e1fefca493029ace961b7ef8889a3722458565a/lang/csharp/versions.props#L29] for the Apache.Avro.Tools package, i.e. the avrogen tool. This could be increased to 13.0.1 but I don't think it's urgent, because avrogen is not typically used on untrusted input and a successful attack would only cause denial of service.
- [<NewtonsoftJsonMinimumVersion>10.0.3</NewtonsoftJsonMinimumVersion>|https://github.com/apache/avro/blob/4e1fefca493029ace961b7ef8889a3722458565a/lang/csharp/versions.props#L44] for the Apache.Avro package, i.e. the main library. This one has a comment saying it should usually not be updated, and that applications using the library can declare a direct dependency on a newer version of Newtonsoft.Json if they need one. There is some rationale in [https://github.com/apache/avro/pull/981#discussion_r525692847]. I don't know whether the security issue justifies a forced upgrade now.

The Newtonsoft.Json 10.0.3 package contains a "tools" folder but 11.0.1 and later versions don't. This difference can cause difficulty during an upgrade, if the application references {{$(PkgNewtonsoft_Json)}} in its build system and needs to stay compatible with older Visual Studio versions that don't support [GeneratePathProperty metadata on PackageReference|https://docs.microsoft.com/nuget/consume-packages/package-references-in-project-files#generatepathproperty].

> Security Vulnerability - WS-2022-0161 in Newtonsoft dependendy
> --------------------------------------------------------------
>
>                 Key: AVRO-3551
>                 URL: https://issues.apache.org/jira/browse/AVRO-3551
>             Project: Apache Avro
>          Issue Type: Bug
>          Components: csharp
>    Affects Versions: 1.11.0
>            Reporter: Michael Ahrens
>            Priority: Major
>
> Please upgrade Newtonsoft dependency to 13.0.1 in next version. Below versions have a security vulnerability: WS-2022-0161
> Thanks
> Michael



--
This message was sent by Atlassian Jira
(v8.20.10#820010)