Content-Length: 253373 | pFad | http://github.com/MoneyFox/MoneyFox/pull/3245

B9 Update dependency Microsoft.Identity.Client to v4.60.4 [SECURITY] by renovate[bot] · Pull Request #3245 · MoneyFox/MoneyFox · GitHub
Skip to content
This repository has been archived by the owner on Jul 29, 2024. It is now read-only.

Update dependency Microsoft.Identity.Client to v4.60.4 [SECURITY] #3245

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update dependency Microsoft.Identity.Client to v4.60.4 [SECURITY] #3245

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jun 17, 2024
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Microsoft.Identity.Client (source) 4.59.0 -> 4.60.4 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-27086

Important

ONLY applications targeting Xamarin Android and .NET Android (MAUI) are impacted. All others can safely dismiss this CVE.

Impact

MSAL.NET applications targeting Xamarin Android and .NET Android (e.g., MAUI) using the library from versions 4.48.0 to 4.60.3 (inclusive, except 4.59.1 and 4.60.3) are impacted by a low severity vulnerability.

A malicious application running on a customer Android device can (1) inject HTML/JavaScript in an embedded web view exported by affected applications, or (2) cause local denial of service against applications that were built using MSAL.NET for authentication on the same device (i.e., prevent the user of the legitimate application from logging in) due to incorrect activity export configuration.

Patches

MSAL.NET version 4.60.3 includes the fix. We recommend all users of MSAL.NET that are building public client applications for Android update to the latest version.

Workarounds

We recommend developers update to the latest version of MSAL.NET. If that is not possible, a developer may explicitly mark the MSAL.NET activity non-exported:

<activity android:name="microsoft.identity.client.AuthenticationAgentActivity" android:configChanges="orientation|screenSize" android:exported="false">
<intent-filter>
<action android:name="android.intent.action.VIEW" />
<category android:name="android.intent.category.DEFAULT" />
<category android:name="android.intent.category.BROWSABLE" />
<data android:scheme="msalYOUR_CLIENT_ID" android:host="auth" />
</intent-filter>
</activity>

References

Refer to MSAL.NET documentation for latest guidance and best practices on configuring client applications using the library.

CVE-2024-35255

Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability.

Release Notes

AzureAD/microsoft-authentication-library-for-dotnet (Microsoft.Identity.Client)

v4.60.3

Compare Source

==========

Bug Fixes

Updated Android webview attribute.

v4.60.2

Compare Source

==========

Bug Fixes

When OnBeforeTokenRequest extensibility API is used, MSAL now correctly uses the user-provided OnBeforeTokenRequestData.RequestUri to set the token request endpoint. See 4701.

v4.60.1

Compare Source

==========

Bug Fixes

Resolved an issue where MSAL attempts to acquire a token via certificate authentication using SHA2 and PSS resulting in a `MsalServiceException' (Error code: AADSTS5002730). See 4690

v4.60.0

Compare Source

==========

New Features
  • AAD client assertions are computed using SHA 256 and PSS padding. See 4428
  • CorrelationId is available in MsalException. See 4187
  • Open telemetry records telemetry for proactive token refresh background process. See 4492
  • MSAL.Net now supports generic authorities with query parameters. See 4631
Bug Fixes
  • MSAL.Net now logs an error when OBO is performed over common or organizations. See 4606
  • MSAL.Net now handles the v2.0 authorization endpoint. See 4416
  • Improved logging and error message when the web api receives a claims challenge. See 4496
  • Cloud shell error message from the managed identity endpoint is now parsed correctly. See 4402
  • Improved error message when CCA certificate is disposed before MSAL can use it. See 4602
  • Client id is now accepted as a scope. See 4652

v4.59.1

Compare Source

Bug Fixes

Updated Android webview attribute.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot force-pushed the renovate/nuget-Microsoft.Identity.Client-vulnerability branch from 61265da to 37c6543 Compare June 19, 2024 18:39
@renovate renovate bot changed the title Update dependency Microsoft.Identity.Client to v4.61.3 [SECURITY] Update dependency Microsoft.Identity.Client to v4.60.4 [SECURITY] Jun 19, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@NPadrutt NPadrutt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@NPadrutt








ApplySandwichStrip

pFad - (p)hone/(F)rame/(a)nonymizer/(d)eclutterfier!      Saves Data!


--- a PPN by Garber Painting Akron. With Image Size Reduction included!

Fetched URL: http://github.com/MoneyFox/MoneyFox/pull/3245

Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy