Skip to content

Pinned System.Security.Cryptography.Xml to 8.0.3 In /Tools/Az.nonprod.props#29433

Merged
VeryEarly merged 1 commit into
mainfrom
thomas-temby/Pin-Cryptography
Apr 24, 2026
Merged

Pinned System.Security.Cryptography.Xml to 8.0.3 In /Tools/Az.nonprod.props#29433
VeryEarly merged 1 commit into
mainfrom
thomas-temby/Pin-Cryptography

Conversation

@thomas-temby

Copy link
Copy Markdown
Contributor

Description

Addressing:
CVE-2026-33116
CVE-2026-26171

Mandatory Checklist

  • SHOULD update ChangeLog.md file(s) appropriately
    • Update src/{{SERVICE}}/{{SERVICE}}/ChangeLog.md.
      • A snippet outlining the change(s) made in the PR should be written under the ## Upcoming Release header in the past tense.
    • Should not change ChangeLog.md if no new release is required, such as fixing test case only.
  • SHOULD regenerate markdown help files if there is cmdlet API change. Instruction
  • SHOULD have proper test coverage for changes in pull request.
  • SHOULD NOT adjust version of module manually in pull request

Copilot AI review requested due to automatic review settings April 22, 2026 01:39
@azure-client-tools-bot-prd

Copy link
Copy Markdown
Thanks for your contribution! The pull request validation has started. Please revisit this comment for updated status.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins System.Security.Cryptography.Xml to 8.0.3 for the repo’s non-production/tooling MSBuild imports, aligning with the referenced CVEs and ensuring net8.0 test/tool projects pull the patched dependency.

Changes:

  • Added a direct PackageReference for System.Security.Cryptography.Xml version 8.0.3 in tools/Az.nonprod.props.

@VeryEarly

Copy link
Copy Markdown
Collaborator

I can see several references of this package under src as well:
image

@VeryEarly VeryEarly self-assigned this Apr 22, 2026
@thomas-temby

Copy link
Copy Markdown
Contributor Author

The versions used in source (4.7.1) is the highest patch version for v4 and are not vulnerable.

image

https://www.nuget.org/packages/System.Security.Cryptography.Xml/4.7.1#versions-body-tab

@VeryEarly VeryEarly merged commit 163268f into main Apr 24, 2026
16 checks passed
@VeryEarly VeryEarly deleted the thomas-temby/Pin-Cryptography branch April 24, 2026 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants