Skip to content

Recommend updating to msquic 2.4.8 #113136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
GrabYourPitchforks opened this issue Mar 4, 2025 · 6 comments
Closed

Recommend updating to msquic 2.4.8 #113136

GrabYourPitchforks opened this issue Mar 4, 2025 · 6 comments
Assignees
@ManickaP
Labels
area-System.Net.Quic
Milestone
8.0.x

Comments

@GrabYourPitchforks
Copy link
Member

The msquic folks recently released v2.4.8. Though this was not a security release, it does contain some defense-in-depth improvements related to how library load occurs.

Because of this, there's a risk that third-party vulnerability scanners may start to mark versions prior to 2.4.8 as suspicious, and that might cause false positive alerts for our customers. We should get ahead of this by proactively pulling 2.4.8 into our builds. There's no need for us to make a servicing release just for this, but it'd be good to get the update to come along for the ride the next time we have a scheduled servicing release.

Relatedly, .NET 8.0.x currently takes a dependency on msquic v2.3.x. The 2.3.x branch exits support in Sep 2025, well ahead of .NET 8's end of life. We should update the 8.0.x branch to keep ahead of any end-of-life mismatches here.
@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Mar 4, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/ncl
See info in area-owners.md if you want to be subscribed.

@AustinWise
Copy link
Contributor

Since #112359 was merged in this repo, msquic.dll is the only remaining DLL in the Microsoft.NETCore.App.Runtime Nuget package that has vulnerability to DLL injection. So it would be great if this could be fixed.

@ManickaP ManickaP removed the untriaged New issue has not been triaged by the area owner label Mar 5, 2025
@ManickaP ManickaP added this to the 8.0.x milestone Mar 5, 2025
@ManickaP ManickaP self-assigned this Mar 5, 2025
@ManickaP ManickaP mentioned this issue Mar 5, 2025
Merged
@GrabYourPitchforks
Copy link
Member Author

Just to clarify, there is no vulnerability. The report concerned app-path DLL injection, which has a severity of Low and never gets an assigned CVE. (For .NET specifically, we always triage app-path DLL injection reports as "None", not "Low".)

@AustinWise
Copy link
Contributor

Good to know. I agree DLL injection has very minor severity.

If I happen to find another DLL injection issue in the future, should I continue to send reports to MSRC first and let them make the call on severity? I could not find any policy linked from the SECURITY.md file in this repo that says I should do otherwise.

This was referenced Mar 6, 2025
Merged
Merged
@GrabYourPitchforks
Copy link
Member Author

@AustinWise here's how MSRC triages them:

https://msrc.microsoft.com/blog/2018/04/triaging-a-dll-planting-vulnerability/

If you're ever unsure of what to do, feel free to report it and it will get triaged and assigned to the right team.

https://msrc.microsoft.com/report/vulnerability/new

Thanks!

@ManickaP
Copy link
Member

Fixed in #113206 and #11205.

@github-actions github-actions bot locked and limited conversation to collaborators Apr 18, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@ManickaP ManickaP

Labels
area-System.Net.Quic
Projects
None yet
Milestone
8.0.x
Development

No branches or pull requests
3 participants
@AustinWise @GrabYourPitchforks @ManickaP