Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SNOW-1463590: BouncyCastle.Cryptography Issue #962

Closed
MichaelJames008 opened this issue Jun 5, 2024 · 8 comments
Closed

SNOW-1463590: BouncyCastle.Cryptography Issue #962

MichaelJames008 opened this issue Jun 5, 2024 · 8 comments
Assignees
Labels
security vulnerability Security vulnerability detected by WhiteSource status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. status-triage_done Initial triage done, will be further handled by the driver team

Comments

@MichaelJames008
Copy link

Hi Team,

This is not really a bug but just a request to update the connector dependency BouncyCastle.Cryptography package.
v2.2.1 is getting flag as security vulnerability in AKS, could you please update it to v2.3.1 or higher.

Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!

  1. What version of .NET driver are you using? NET 8

  2. What operating system and processor architecture are you using? Windows and Unix

  3. What version of .NET framework are you using? NET 8
    E.g. .net framework 4.5.2 or .net standard 2.0

  4. What did you do?

no error just package update needed.

  1. What did you expect to see?

    Need the dependency package updated to v2.3.1 or higher.

  2. Can you set logging to DEBUG and collect the logs?

    https://community.snowflake.com/s/article/How-to-generate-log-file-on-Snowflake-connectors
    not applicable

  3. What is your Snowflake account identifier, if any? (Optional)

@github-actions github-actions bot changed the title BouncyCastle.Cryptography Issue SNOW-1463590: BouncyCastle.Cryptography Issue Jun 5, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka self-assigned this Jun 5, 2024
@sfc-gh-dszmolka sfc-gh-dszmolka added the status-triage Issue is under initial triage label Jun 5, 2024
@sfc-gh-dszmolka
Copy link
Contributor

hi and thanks for raising this with us ! just to double check and be on the same page, is AKS flagging CVE-2024-30172(GHSA-m44j-cfrm-g8qc) or is it some other vulnerability it detects ?

@MichaelJames008
Copy link
Author

Hello, it is flagged as high severity for CVE-2024-29857 and CVE-2024-30172.

@sfc-gh-dszmolka sfc-gh-dszmolka added security vulnerability Security vulnerability detected by WhiteSource status-triage_done Initial triage done, will be further handled by the driver team and removed status-triage Issue is under initial triage bug labels Jun 5, 2024
@sfc-gh-dszmolka
Copy link
Contributor

thank you for confirming - both seem to be classified as Moderate but regardless, we'll take care. Thank you again for your report !

@MichaelJames008
Copy link
Author

Thanks much! appreciate it.

@sfc-gh-dszmolka sfc-gh-dszmolka added the status-pr_pending_merge A PR is made and is under review label Jun 5, 2024
@sfc-gh-dszmolka
Copy link
Contributor

PR: #964

@sfc-gh-dszmolka
Copy link
Contributor

PR is merged and will be part of the next release, which is expected towards second half of June 2024

@sfc-gh-dszmolka sfc-gh-dszmolka added status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. and removed status-pr_pending_merge A PR is made and is under review labels Jun 7, 2024
@sfc-gh-dszmolka
Copy link
Contributor

sfc-gh-dszmolka commented Jun 24, 2024

Will update this thread once more information is known about the next upcoming major release of the .NET driver which will carry this fix.

edit: confirming with Product team; release should be available by mid-July 2024

@sfc-gh-dszmolka
Copy link
Contributor

fix released with Snowflake .NET driver version v4.0.0 in July 2024

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security vulnerability Security vulnerability detected by WhiteSource status-fixed_awaiting_release The issue has been fixed, its PR merged, and now awaiting the next release cycle of the connector. status-triage_done Initial triage done, will be further handled by the driver team
Projects
None yet
Development

No branches or pull requests

3 participants