New release to fix CVE-2024-21319 in transitive dependency

[304NotModified]

Please release a new version of Microsoft.Data.SqlClient (5.1.5 or 5.2.0 for example) and fix the
CVE-2024-21319 in transitive dependencies.

Microsoft.Data.SqlClient 5.14

• references Microsoft.IdentityModel.JsonWebTokens 6.24.0 which has CVE-2024-21319 and
  • 6.34.0 and 6.35.0 are without CVEs
• references
  Microsoft.IdentityModel.Protocols.OpenIdConnect 6.24.0which references System.IdentityModel.Tokens.Jwt 6.24.0 which has also CVE-2024-21319
  • Also 6.34.0 and 6.35.0 are without CVEs

Quick fix for now:

 <PackageReference Include="Microsoft.Data.SqlClient" Version="5.1.4" />
 <!-- Microsoft.Data.SqlClient 5.1.4 gives Microsoft.IdentityModel.JsonWebTokens dependency with CVE-2024-21319 -->
 <PackageReference Include="Microsoft.IdentityModel.JsonWebTokens" Version="6.34.0" />
 <!-- Microsoft.Data.SqlClient 5.1.4 gives indirect  System.IdentityModel.Tokens.Jwt with CVE-2024-21319 -->
 <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="6.34.0" />

[ErikEJ]

Duplicate of #2299

[swythan]

Can we get this backported to 5.1.x please?

[ErikEJ]

@swythan Yes, I think it will be in 5.1.5

[kf-gonzalez]

This is being addressed in preview 5

[304NotModified]

This is being addressed in preview 5

So not in 5.1.5?

[swythan]

@ErikEJ Is there a public tracker for "hotfixes destined for backporting" that we can follow? Also is there any way to predict when there might be a patch release?

At the moment issues keep getting closed but the 5.1 branch doesn't have the dependency update, so you can see why people are still asking.
https://github.com/dotnet/SqlClient/blob/release/5.1/tools/props/Versions.props#L33

[ErikEJ]

@swythan I only have this

But maybe @DavoudEshtehari can give some hints about the plans?

[JRahnama]

@swythan it will be included in M.D.SqlClient v5.2.0-preview5 and will be backported to hot fix release of 5.1.5. Preview5 is going out today or tomorrow, for 5.1.5 DTBD, it should not take long in my opinion.

[swythan]

Thanks. Is there a reason there's no open issue for backporting it? How is that tracked?

[JRahnama]

@swythan PRs that are marked for back porting to a hotfix version are in Project section. for this fix it is in SqlClient v5.1.5 hotfix project.

[swythan]

Perfect. Just what I was looking for. Thanks @JRahnama