Skip to content

[release/13.2] Bump Microsoft.Bcl.Memory to 10.0.5 to fix CVE-2026-26127#15411

Merged
joperezr merged 1 commit intorelease/13.2from
backport/pr-15410-to-release/13.2
Mar 19, 2026
Merged

[release/13.2] Bump Microsoft.Bcl.Memory to 10.0.5 to fix CVE-2026-26127#15411
joperezr merged 1 commit intorelease/13.2from
backport/pr-15410-to-release/13.2

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Mar 19, 2026
edited by mitchdenny
Loading

Backport of #15410 to release/13.2

/cc @mitchdenny

Customer Impact

CVE alert impacting our builds. 10.0.5 is the latest.

Testing

Risk

Regression?

Bump Microsoft.Bcl.Memory to 10.0.5 to fix CVE-2026-26127
28d59d5 
Microsoft.Bcl.Memory 10.0.0 has a known high severity vulnerability
(GHSA-73j8-2gch-69rq) - a denial of service via out-of-bounds read
when decoding malformed Base64Url input. Update to 10.0.5 which
includes the fix.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions
Copy link
Contributor Author

github-actions bot commented Mar 19, 2026

🚀 Dogfood this PR with:

⚠️ WARNING: Do not do this without first carefully reviewing the code of this PR to satisfy yourself it is safe.

curl -fsSL https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 15411

Or

  • Run remotely in PowerShell:
iex "& { $(irm https://raw.githubusercontent.com/dotnet/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 15411"

@joperezr joperezr added the Servicing-approved Approved for servicing release label Mar 19, 2026
@joperezr
Copy link
Member

joperezr commented Mar 19, 2026

unrelated test failures. Merging to unblock builds.

@joperezr joperezr merged commit 96d4ccd into release/13.2 Mar 19, 2026
252 of 259 checks passed
@joperezr joperezr deleted the backport/pr-15410-to-release/13.2 branch March 19, 2026 23:08
@dotnet-policy-service dotnet-policy-service bot added this to the 13.2 milestone Mar 19, 2026
@github-actions
Copy link
Contributor Author

github-actions bot commented Mar 19, 2026

🎬 CLI E2E Test Recordings — 53 recordings uploaded (commit 28d59d5)

View recordings
Test Recording
AddPackageInteractiveWhileAppHostRunningDetached ▶️ View Recording
AddPackageWhileAppHostRunningDetached ▶️ View Recording
AgentCommands_AllHelpOutputs_AreCorrect ▶️ View Recording
AgentInitCommand_DefaultSelection_InstallsSkillOnly ▶️ View Recording
AgentInitCommand_MigratesDeprecatedConfig ▶️ View Recording
AspireAddPackageVersionToDirectoryPackagesProps ▶️ View Recording
AspireUpdateRemovesAppHostPackageVersionFromDirectoryPackagesProps ▶️ View Recording
Banner_DisplayedOnFirstRun ▶️ View Recording
Banner_DisplayedWithExplicitFlag ▶️ View Recording
CertificatesClean_RemovesCertificates ▶️ View Recording
CertificatesTrust_WithNoCert_CreatesAndTrustsCertificate ▶️ View Recording
CertificatesTrust_WithUntrustedCert_TrustsCertificate ▶️ View Recording
ConfigSetGet_CreatesNestedJsonFormat ▶️ View Recording
CreateAndDeployToDockerCompose ▶️ View Recording
CreateAndDeployToDockerComposeInteractive ▶️ View Recording
CreateAndPublishToKubernetes ▶️ View Recording
CreateAndRunAspireStarterProject ▶️ View Recording
CreateAndRunAspireStarterProjectWithBundle ▶️ View Recording
CreateAndRunEmptyAppHostProject ▶️ View Recording
CreateAndRunJsReactProject ▶️ View Recording
CreateAndRunPythonReactProject ▶️ View Recording
CreateAndRunTypeScriptEmptyAppHostProject ▶️ View Recording
CreateAndRunTypeScriptStarterProject ▶️ View Recording
CreateStartAndStopAspireProject ▶️ View Recording
CreateTypeScriptAppHostWithViteApp ▶️ View Recording
DescribeCommandResolvesReplicaNames ▶️ View Recording
DescribeCommandShowsRunningResources ▶️ View Recording
DetachFormatJsonProducesValidJson ▶️ View Recording
DoctorCommand_DetectsDeprecatedAgentConfig ▶️ View Recording
DoctorCommand_WithSslCertDir_ShowsTrusted ▶️ View Recording
DoctorCommand_WithoutSslCertDir_ShowsPartiallyTrusted ▶️ View Recording
GlobalMigration_HandlesCommentsAndTrailingCommas ▶️ View Recording
GlobalMigration_HandlesMalformedLegacyJson ▶️ View Recording
GlobalMigration_PreservesAllValueTypes ▶️ View Recording
GlobalMigration_SkipsWhenNewConfigExists ▶️ View Recording
GlobalSettings_MigratedFromLegacyFormat ▶️ View Recording
InvalidAppHostPathWithComments_IsHealedOnRun ▶️ View Recording
LegacySettingsMigration_AdjustsRelativeAppHostPath ▶️ View Recording
LogsCommandShowsResourceLogs ▶️ View Recording
PsCommandListsRunningAppHost ▶️ View Recording
PsFormatJsonOutputsOnlyJsonToStdout ▶️ View Recording
PublishWithDockerComposeServiceCallbackSucceeds ▶️ View Recording
RestoreGeneratesSdkFiles ▶️ View Recording
RunWithMissingAwaitShowsHelpfulError ▶️ View Recording
SecretCrudOnDotNetAppHost ▶️ View Recording
SecretCrudOnTypeScriptAppHost ▶️ View Recording
StagingChannel_ConfigureAndVerifySettings_ThenSwitchChannels ▶️ View Recording
StopAllAppHostsFromAppHostDirectory ▶️ View Recording
StopAllAppHostsFromUnrelatedDirectory ▶️ View Recording
StopNonInteractiveMultipleAppHostsShowsError ▶️ View Recording
StopNonInteractiveSingleAppHost ▶️ View Recording
StopWithNoRunningAppHostExitsSuccessfully ▶️ View Recording
TypeScriptAppHostWithProjectReferenceIntegration ▶️ View Recording

📹 Recordings uploaded automatically from CI run #23320608515

@github-actions github-actions bot mentioned this pull request Mar 20, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mitchdenny mitchdenny mitchdenny approved these changes

@eerhardt eerhardt eerhardt approved these changes

Assignees

No one assigned

Labels

Re-opened Github-Action PR Servicing-approved Approved for servicing release

Projects

None yet

Milestone

13.2

Development

Successfully merging this pull request may close these issues.

3 participants

@joperezr @mitchdenny @eerhardt