Merge pull request #273878 from HeidiSteen/heidist-bug

[azure search] security update addressing information disclosure

Author: prmerger-automator[bot]

articles/search/search-api-migration.md

@@ -10,7 +10,7 @@ ms.service: cognitive-search
 ms.custom:
   - ignite-2023
 ms.topic: conceptual
-ms.date: 04/17/2024
+ms.date: 04/30/2024
 ---
 
 # Upgrade to the latest REST API in Azure AI Search
@@ -26,18 +26,26 @@ Use this article to migrate data plane calls to newer versions of the [**Search
 > [!NOTE]
 > API reference docs are now versioned. To get the right content, open a reference page and then filter by version, using the selector located above the table of contents.
 
-<a name="UpgradeSteps"></a>
+## When to upgrade
 
-## How to upgrade
-
-Azure AI Search breaks backward compatibility as a last resort. This section provides instructions to help you modify existing code that won't run in a newer version. Upgrade is necessary when:
+Azure AI Search breaks backward compatibility as a last resort. Upgrade is necessary when:
 
 + Your code references a retired or deprecated API version and is subject to one or more of the breaking changes. API versions that fall into this category include 2023-07-10-preview for vectors and [2019-05-06](#upgrade-to-2019-05-06). 
 
 + Your code fails when unrecognized properties are returned in an API response. As a best practice, your application should ignore properties that it doesn't understand.
 
 + Your code persists API requests and tries to resend them to the new API version. For example, this might happen if your application persists continuation tokens returned from the Search API (for more information, look for `@search.nextPageParameters` in the [Search API Reference](/rest/api/searchservice/Search-Documents)).
 
+## Breaking change for client code that reads connection information
+
+Effective March 29, 2024 and applies to all [supported REST APIs](/rest/api/searchservice/search-service-api-versions): 
+
++ [GET Skillset](/rest/api/searchservice/skillsets/get), [GET Index](/rest/api/searchservice/indexes/get), and [GET Indexer](/rest/api/searchservice/indexers/get) no longer return keys or connection properties in a response. This is a breaking change if you have downstream code that reads keys or connections (sensitive data) from a GET response.
+
++ If you need to retrieve admin or query API keys for your search service, use the [Management REST APIs](search-security-api-keys.md?tabs=rest-find#find-existing-keys).
+
++ If you need to retrieve connection strings of another Azure resource such as Azure Storage or Azure Cosmos DB, use the APIs of that resource and published guidance to obtain the information.
+
 ## Upgrade to 2023-10-01-preview
 
 This version is identical to 2023-11-01 but has extra features in public preview: [built-in query vectorizer](vector-search-how-to-configure-vectorizer.md) and [vector prefilter mode](vector-search-filters.md). If you want to use those features, you should upgrade to the latest preview version.

articles/search/whats-new.md

@@ -7,7 +7,7 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: overview
-ms.date: 04/24/2024
+ms.date: 04/30/2024
 ms.custom:
   - references_regions
   - ignite-2023
@@ -24,6 +24,7 @@ ms.custom:
 
 | Item                         | Type |  Description |
 |-----------------------------|------|--------------|
+| [Security update addressing information disclosure](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-29063) | API | GET responses [no longer return connection strings or keys](search-api-migration.md#breaking-change-for-client-code-that-reads-connection-information). Applies to GET Skillset, GET Index, and GET Indexer. This change helps protect your Azure assets integrated with AI Search from unauthorized access. |
 | [**Storage expansion on Basic and Standard tiers**](search-limits-quotas-capacity.md#service-limits) | Feature |  Basic now supports up to three partitions and three replicas. Basic and Standard (S1, S2, S3) tiers have significantly more storage per partition, at the same per-partition billing rate. Extra capacity is subject to [regional availability](search-limits-quotas-capacity.md#supported-regions-with-higher-storage-limits) and applies to new search services created after April 3, 2024. Currently, there's no in-place upgrade, so please create a new search service to get the extra storage. |
 | [**Increased quota for vectors**](search-limits-quotas-capacity.md#vector-limits-on-services-created-after-april-3-2024-in-supported-regions) | Feature | Vector quotas are also higher on new services created after April 3, 2024 in selected regions. |
 | [**Built-in vector quantization, narrow vector data types, and a new `stored` property (preview)**](vector-search-how-to-configure-compression-storage.md) | Feature | This preview adds support for larger vector workloads at a lower cost through three enhancements. First, *scalar quantization* reduces vector index size in memory and on disk. Second, [narrow data types](/rest/api/searchservice/supported-data-types) can be assigned to vector fields that can use them. Third, we added more flexible vector field storage options.|