[Bug Report] Update DotNetty and Newtonsoft.Json dependencies in 1.36.6
damonbarry opened this issue · 4 comments
Context
- OS, version, SKU and CPU architecture used: Linux amd64, arm32v7, arm64v8
- Application's .NET Target Framework : .NET 6.0
- SDK version used: 1.36.6
Description of the issue
IoT Edge 1.4 LTS currently uses Microsoft.Azure.Devices.Client 1.36.6. We recently had to update transitive dependencies on DotNetty and Newtonsoft.Json through the SDK to fix known security bugs in those libraries. Our changes were a temporary workaround; we plan to remove them once the SDK has updated its references to DotNetty and Newtonsoft.Json.
See Azure/iotedge#6762 and Azure/iotedge#6699.
Thank you for bringing this to our attention. We will release the fix soon.
Hello,
We upgraded DotNetty to a newer version in this PR (#2970) for LTS.
We were considering upgrading the version of Newtonsoft.Json to the latest major version, but we also do not want to be forcing customers to a latest dependency. Instead, we introduced safe defaults for the maxDepth parameter in the JsonSerializerSettings in this PR (#3045) as suggested by this link Improper Handling of Exceptional Conditions in Newtonsoft.Json · GHSA-5crp-9r3c-p9vr · GitHub Advisory Database) to mitigate a vulnerability. IoT Edge LTS should have an updated transitive dependency on Newtonsoft.Json.
Thank you.
@schoims Great! Will there be a 1.36.7 release published to nuget soon?
@damonbarry The new LTS packages are released. https://github.com/Azure/azure-iot-sdk-csharp/releases/tag/lts_2021-3-18_patch7