DLL Redirection Attack GHSA-7wh2-wxc7-9ph5 : Is it necessary to rebuild WiX-built merge modules and custom action DLLs to mitigate?

[p-soma]

This question is regarding the recent security vulnerability GHSA-7wh2-wxc7-9ph5. We are using WiX v3.

We have a WiX-built Bootstrapper (Bundle), which includes a WiX-built MSI, which includes WiX-built merge modules and WiX-built Custom Action dlls (both native and managed). The merge module and custom action DLLs are already compiled using a version of WiX prior to 3.14.

Is it is necessary to rebuild the merge module and custom action DLLs using WiX 3.14 in order to mitigate the vulnerability? Or is it sufficient to use WiX 3.14 to rebuild only the MSI & Bootstrapper which uses these merge modules and custom action DLLS? In other words, if I build an MSI & Bootstrapper using WiX 3.14, but those include a merge module or custom action DLL that was built with WiX 3.11, is that installer still vulnerable to the DLL redirection attack?

[robmen]

Is it is necessary to rebuild the merge module and custom action DLLs using WiX 3.14 in order to mitigate the vulnerability

No.

Or is it sufficient to use WiX 3.14 to rebuild only the MSI & Bootstrapper which uses these merge modules and custom action DLLS?

I suppose. Sounds harder to manage multiple WiX versions.