Skip to content

PostSharp 2024.0.24

Choose a tag to compare

View all tags
@gfraiteur gfraiteur released this 27 Jun 10:13
v2024.0.24
51b8d5c

PostSharp 2024.0.24 is primarily a security and privacy hardening release. It closes the June 2026 security & privacy review (#56): it hardens the build toolchain against local attacks, moves all telemetry to HTTPS, minimizes and de-correlates collected data, and removes data-collection features outright. It also fixes a build-reproducibility defect in the Windows-PDB path. It is based on v2024.0.22 and spans builds 2024.0.23 and 2024.0.24.

Security & privacy hardening

Transport security

  • #48 Upload CEIP/telemetry over HTTPS instead of plaintext HTTP.
  • #63 Warn when a license server is configured over http:// (which sends user and machine names in cleartext).

Local-machine hardening (shared/multi-user machines)

  • #45 Default the cache, binary, and dependency directories to per-user locations to prevent DLL planting.
  • #46 Restrict the .NET Framework build pipe server to clients of the same user and elevation level.
  • #50 Scope the Windows CPU-throttle semaphore to the current user to prevent a local build DoS.
  • #51 Relocate the compiler-host exception dump to a per-user directory so other local users cannot read it.
  • #47 Disable external XML entity resolution (XXE) when parsing the Learning Hub content feed.

Data minimization & privacy

  • #53 Minimize uploaded exception reports: redact secrets, omit the exception message and data, and redact user assembly identities.
  • #54 Telemetry opt-out now stops queued uploads and purges the upload queue.
  • #55 Removed the per-usage license telemetry that uploaded reversibly hashed type names.
  • #62 Rotate the telemetry device identifier on the first Monday of each month to limit cross-session correlation.
  • #65 Removed the newsletter subscription offer and all email-address collection from the license registration UI.
  • #66 Removed the Areas of Interest selection and the PostSharp Learning Hub tool window from the product.

Dependencies

  • #61 Updated log4net to 3.3.1 on modern target frameworks to address CVE-2026-40021.

Other changes

  • #35 Deterministic builds emitting a Windows PDB are now reproducible for woven types with very long fully-qualified names.
  • #36 Windows PDBs no longer get garbage, run-dependent module names for woven types with long fully-qualified names.
  • #58 Add the PostSharpAllowPipeServerWhenUnattended MSBuild property to use the pipe server in unattended builds.

Resources

Assets 2
Loading