Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates to remediate CVE-2024-0056 and CVE-2023-36414 #7

Merged
merged 3 commits into from
Mar 11, 2024
Merged

Updates to remediate CVE-2024-0056 and CVE-2023-36414 #7

merged 3 commits into from
Mar 11, 2024

Conversation

garyhampson
Copy link
Contributor

See https://techcommunity.microsoft.com/t5/sql-server-blog/released-security-updates-for-microsoft-data-sqlclient-and/ba-p/4024264 for more details.

Essentially:

If you are using Microsoft.Data.SqlClient, anywhere (.NET Core, .NET 6/7/8, .NET Framework) and you are using a version that is vulnerable you must update your NuGet package reference to an updated version: 2.1.7, 3.1.5, 4.0.5, or 5.1.3

An updated version of Microsoft.Data.SqlClient, version 5.1.4, was also released that upgrades the Azure.Identity dependency version to 1.10.3 , which addresses CVE-2023-36414 in that library. (release notes) (download)

@garyhampson garyhampson mentioned this pull request Mar 5, 2024
Closed
@jpomfret
Copy link

jpomfret commented Mar 6, 2024

Hey @potatoqualitee - could you take a look at this one please?

@potatoqualitee
Copy link
Member

Oof high severity. Thank you for your PR and using dbatools 😊 I'll work on this tonight or tomorrow morning.

garyhampson
garyhampson commented Mar 8, 2024
View reviewed changes
Copy link
Contributor Author

@garyhampson garyhampson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @potatoqualitee - Thanks for catching the things that I missed! Appreciate it!

@potatoqualitee potatoqualitee mentioned this pull request Mar 9, 2024
Merged
@andreasjordan
Copy link

There is a new version of dbatools.library, but this PR is still not merged. How does this work? How I can check if the new version of dbatools.library has the correct new libraries in it?

@garyhampson garyhampson reopened this Mar 10, 2024
@potatoqualitee
Copy link
Member

it's true, i just forgot to merge it but i used this branch to build it.

@potatoqualitee potatoqualitee merged commit d3514c6 into dataplat:main Mar 11, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@garyhampson @jpomfret @potatoqualitee @andreasjordan @ghamps-icims