You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Kalle Niemitalo (Jira)" <ji...@apache.org> on 2022/07/03 23:37:00 UTC
[jira] [Commented] (AVRO-3551) Security Vulnerability - WS-2022-0161 in Newtonsoft dependendy
[ https://issues.apache.org/jira/browse/AVRO-3551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17561950#comment-17561950 ]
Kalle Niemitalo commented on AVRO-3551:
---------------------------------------
versions.props defines two MSBuild properties for the version of Newtonsoft.Json:
- [<NewtonsoftJsonVersion>12.0.3</NewtonsoftJsonVersion>|https://github.com/apache/avro/blob/4e1fefca493029ace961b7ef8889a3722458565a/lang/csharp/versions.props#L29] for the Apache.Avro.Tools package, i.e. the avrogen tool. This could be increased to 13.0.1 but I don't think it's urgent, because avrogen is not typically used on untrusted input and a successful attack would only cause denial of service.
- [<NewtonsoftJsonMinimumVersion>10.0.3</NewtonsoftJsonMinimumVersion>|https://github.com/apache/avro/blob/4e1fefca493029ace961b7ef8889a3722458565a/lang/csharp/versions.props#L44] for the Apache.Avro package, i.e. the main library. This one has a comment saying it should usually not be updated, and that applications using the library can declare a direct dependency on a newer version of Newtonsoft.Json if they need one. There is some rationale in [https://github.com/apache/avro/pull/981#discussion_r525692847]. I don't know whether the security issue justifies a forced upgrade now.
The Newtonsoft.Json 10.0.3 package contains a "tools" folder but 11.0.1 and later versions don't. This difference can cause difficulty during an upgrade, if the application references {{$(PkgNewtonsoft_Json)}} in its build system and needs to stay compatible with older Visual Studio versions that don't support [GeneratePathProperty metadata on PackageReference|https://docs.microsoft.com/nuget/consume-packages/package-references-in-project-files#generatepathproperty].
> Security Vulnerability - WS-2022-0161 in Newtonsoft dependendy
> --------------------------------------------------------------
>
> Key: AVRO-3551
> URL: https://issues.apache.org/jira/browse/AVRO-3551
> Project: Apache Avro
> Issue Type: Bug
> Components: csharp
> Affects Versions: 1.11.0
> Reporter: Michael Ahrens
> Priority: Major
>
> Please upgrade Newtonsoft dependency to 13.0.1 in next version. Below versions have a security vulnerability: WS-2022-0161
> Thanks
> Michael
--
This message was sent by Atlassian Jira
(v8.20.10#820010)