Fix vulnerabilities (#24280)

isra-fel · web-flow · commit 5a3657909025 · 2024-03-11T10:19:15.000+08:00
* System.Data.SqlClient 4.8.5-&gt;4.8.6

* identitymodel.jwt 5.6.0-&gt;5.7.0

* Update ChangeLog.md

* fix test issue of attestation
diff --git a/src/Attestation/Attestation.Test/Attestation.Test.csproj b/src/Attestation/Attestation.Test/Attestation.Test.csproj
@@ -13,7 +13,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Attestation" Version="0.10.0-preview" />
     <PackageReference Include="Microsoft.Azure.Management.Attestation" Version="0.12.0-preview" />
-    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="5.6.0">
+    <PackageReference Include="Microsoft.IdentityModel.Tokens" Version="5.7.0">
       <NoWarn>NU1608</NoWarn>
     </PackageReference>
   </ItemGroup>
diff --git a/src/Attestation/Attestation/Attestation.csproj b/src/Attestation/Attestation/Attestation.csproj
@@ -14,7 +14,7 @@
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Attestation" Version="0.10.0-preview" />
     <PackageReference Include="Microsoft.Azure.Management.Attestation" Version="0.12.0-preview" />
-    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.6.0" />
+    <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="5.7.0" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Attestation/Attestation/ChangeLog.md b/src/Attestation/Attestation/ChangeLog.md
@@ -20,6 +20,7 @@
 
 
 ## Upcoming Release
+* Fixed vulnerability https://github.com/advisories/GHSA-8g9c-28fc-mcx2
 
 ## Version 2.0.0
 * [Breaking Change] Replaced `New/Remove/Get-AzAttestation` with `New/Remove/Get-AzAttestationProvider`
diff --git a/src/ContainerRegistry/ContainerRegistry/ChangeLog.md b/src/ContainerRegistry/ContainerRegistry/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed vulnerability https://github.com/advisories/GHSA-8g9c-28fc-mcx2
 
 ## Version 4.1.3
 * Fixed bug in `Get-AzContainerRegistryManifest` returns only 100 results [#22922]
@@ -58,7 +59,7 @@
 * Fixed data plane operations (repository, tag, manifest) failed cross registry in single Powershell session [#14849]
 
 ## Version 2.2.2
-* Fixed bug in `Get-AzContainerRegistryManifest` showing incorrect image name 
+* Fixed bug in `Get-AzContainerRegistryManifest` showing incorrect image name
 
 ## Version 2.2.1
 * Fixed authentication for `Connect-AzContainerRegistry`
diff --git a/src/ContainerRegistry/ContainerRegistry/ContainerRegistry.csproj b/src/ContainerRegistry/ContainerRegistry/ContainerRegistry.csproj
@@ -13,9 +13,9 @@
   <ItemGroup>
     <PackageReference Include="Azure.Containers.ContainerRegistry" Version="1.0.0" />
     <PackageReference Include="Microsoft.Azure.ContainerRegistry" Version="1.0.0-preview.1" />
-    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.6.0" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="5.7.0" />
   </ItemGroup>
-  
+
   <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory).., build.proj))\src\Az.Post.props" />
 
 </Project>
diff --git a/src/DataFactory/DataFactory/ChangeLog.md b/src/DataFactory/DataFactory/ChangeLog.md
@@ -18,6 +18,7 @@
         - Additional information about change #1
 -->
 ## Upcoming Release
+* Fixed vulnerability https://github.com/advisories/GHSA-98g6-xh36-x2p7
 
 ## Version 1.18.2
 * Supported Snowflake V2 in ADF
@@ -161,7 +162,7 @@
 * Add AutoUpdateETA, LatestVersion, PushedVersion, TaskQueueId and VersionStatus properties for Get-AzDataFactoryV2IntegrationRuntime cmd
 
 * Update ADF .Net SDK version to 4.6.0
-* Add parameter "PublicIPs" for "Set-AzureRmDataFactoryV2IntegrationRuntime" cmd 
+* Add parameter "PublicIPs" for "Set-AzureRmDataFactoryV2IntegrationRuntime" cmd
 to enable create Azure-SSIS IR with static public IP addresses.
 
 ## Version 1.5.1
diff --git a/src/DataFactory/DataFactoryV1/DataFactoryV1.csproj b/src/DataFactory/DataFactoryV1/DataFactoryV1.csproj
@@ -18,7 +18,7 @@
     <PackageReference Include="WindowsAzure.Storage" Version="9.3.0" />
     <!-- Include the following DLLs for security issue -->
     <PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" />
-    <PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
+    <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
   </ItemGroup>
 
   <Import Project="$([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory).., build.proj))\src\Az.Post.props" />
diff --git a/src/DataFactory/DataFactoryV2/DataFactoryV2.csproj b/src/DataFactory/DataFactoryV2/DataFactoryV2.csproj
@@ -15,7 +15,7 @@
     <PackageReference Include="Microsoft.DataTransfer.Gateway.Encryption" Version="4.14.7587.7" />
     <!-- Include the following DLLs for security issue -->
     <PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" />
-    <PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
+    <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Synapse/Synapse/ChangeLog.md b/src/Synapse/Synapse/ChangeLog.md
@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Fixed vulnerability https://github.com/advisories/GHSA-98g6-xh36-x2p7
 
 ## Version 3.0.5
 * Updated Azure.Analytics.Synapse.Artifacts to 1.0.0-preview.19
@@ -219,7 +220,7 @@
    - Updated `Get-AzSynapseRoleAssignment` cmdlet
    - Updated `Remove-AzSynapseRoleAssignment` cmdlet
    - Added `Get-AzSynapseRoleScope` cmdlet
-* Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0 
+* Renamed -AllowAllAzureIP to -AllowAllAzureIp and changed IP range to 0.0.0.0-0.0.0.0
 * Added -AllowAllIp and set IP range to 0.0.0.0-255.255.255.255
 * Fixed the issue of retrieving Apache Spark pool information through management API
 
@@ -359,7 +360,7 @@
 
 * Added support for gen3 Sql Pools
     - For `Get-AzSynapseSqlPool`, `New-AzSynapseSqlPool`, ` Remove-AzSynapseSqlPool`, ` Test-AzSynapseSqlPool` and `Update-AzSynapseSqlPool` cmdlet
-        - Add Version parameter to cmdlets to specify version 3. 
+        - Add Version parameter to cmdlets to specify version 3.
         - For this release, these cmdlets will not work unless a customer's subscription is on the allowlist.
 * Added support for gen3 Sql Databases
     - Add `Get-AzSynapseSqlDatabase` cmdlet
@@ -402,10 +403,10 @@
 ## Version 0.1.1
 
 * Added support for operation of Synapse FirewallRule
-    - Add `New-AzSynapseFirewallRule` cmdlet 
-    - Add `Remove-AzSynapseFirewallRule` cmdlet 
-    - Add `Get-AzSynapseFirewallRule` cmdlet 
-    - Add `Update-AzSynapseFirewallRule` cmdlet 
+    - Add `New-AzSynapseFirewallRule` cmdlet
+    - Add `Remove-AzSynapseFirewallRule` cmdlet
+    - Add `Get-AzSynapseFirewallRule` cmdlet
+    - Add `Update-AzSynapseFirewallRule` cmdlet
 * Removed '-DisallowAllConnection' parameter from the 'New-AzSynapseWorkspace' cmdlet
 * Updated parameter set for New-AzSynapseSparkPool to fix node count issue for auto scale
 
diff --git a/src/Synapse/Synapse/Synapse.csproj b/src/Synapse/Synapse/Synapse.csproj
@@ -20,7 +20,7 @@
     <PackageReference Include="Microsoft.DataTransfer.Gateway.Encryption" Version="4.14.7587.7" />
     <!-- Include the following DLLs for security issue -->
     <PackageReference Include="System.Security.Cryptography.Xml" Version="4.7.1" />
-    <PackageReference Include="System.Data.SqlClient" Version="4.8.5" />
+    <PackageReference Include="System.Data.SqlClient" Version="4.8.6" />
   </ItemGroup>
 
   <ItemGroup>
@@ -41,7 +41,7 @@
   <ItemGroup>
     <None Remove="Models\ManagementModels\AdvancedThreatProtection\Templates\DeployWorkspaceVaTemplate.json" />
   </ItemGroup>
-	
+
   <ItemGroup>
     <EmbeddedResource Include="Models\ManagementModels\AdvancedThreatProtection\Templates\DeployWorkspaceVaTemplate.json" />
   </ItemGroup>
