The upgrade caused dependency conflicts in Octopus Server, which have been difficult to resolve.
This PR downgrades System.Runtime.Caching to 6.0.0, which should resolve the downstream dependency conflicts.
Background
What happened?
The upgrade of System.Runtime.Caching from 6.0.0 -> 8.0.0 caused no problems when upgrading Halibut in Tentacle, but caused conflicts when upgrading Tentacle in Octopus Server.
The conflict was was due to multiple referenced versions (6.0.0 and 8.0.0) of the System.Security.Cryptography.ProtectedData library, which is a dependency of the System.Runtime.Caching.
Caching 8.0.0 depends on ProtectedData 8.0.0, but other existing dependencies in Server require ProtectedData 6.0.0.
Why downgrade?
Attempts to upgrade existing references to ProtectedData 8.0.0 failed for unknown reasons, as dotnet itself gave some unhelpful error messages like this:
96>Microsoft.Common.CurrentVersion.targets(2382,5): Error MSB3277 : Found conflicts between different versions of "System.Security.Cryptography.ProtectedData" that could not be resolved.
There was a conflict between "System.Security.Cryptography.ProtectedData, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" and "System.Security.Cryptography.ProtectedData, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a".
"System.Security.Cryptography.ProtectedData, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" was chosen because it was primary and "System.Security.Cryptography.ProtectedData, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" was not.
References which depend on "System.Security.Cryptography.ProtectedData, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" [C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll].
C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll
Project file item includes which caused reference "C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll".
C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll
References which depend on "System.Security.Cryptography.ProtectedData, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" [].
C:\dev\OctopusDeploy\source\Octopus.Core\bin\net8.0\Octopus.Shared.dll
Project file item includes which caused reference "C:\dev\OctopusDeploy\source\Octopus.Core\bin\net8.0\Octopus.Shared.dll".
C:\dev\OctopusDeploy\source\Octopus.Core\bin\net8.0\Octopus.Core.dll
C:\dev\OctopusDeploy\source\Octopus.Aws\bin\net8.0\Octopus.Aws.dll
C:\dev\OctopusDeploy\source\Octopus.Upgraders\bin\net8.0\Octopus.Upgraders.dll
NB: the error message says that v6 depends on... itself?
References which depend on "System.Security.Cryptography.ProtectedData, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" [C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll].
C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll
Project file item includes which caused reference "C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll".
C:\Users\AdrianCodrington\.nuget\packages\system.security.cryptography.protecteddata\6.0.0\lib\net6.0\System.Security.Cryptography.ProtectedData.dll
Downgrading Caching fixes the CVE by still removing references to System.Drawing.Common 5.0.0 from production code whilst not breaking downstream dependencies in Octopus Server.
How to review this PR
Quality :heavy_check_mark:
Pre-requisites
[x] I have read How we use GitHub Issues for help deciding when and where it's appropriate to make an issue.
[x] I have considered informing or consulting the right people, according to the ownership map.
[x] I have considered appropriate testing for my change.
System.Runtime.Caching
was upgraded to8.0.0
in this PR, as part of addressing CVE-2021-24112.The upgrade caused dependency conflicts in Octopus Server, which have been difficult to resolve.
This PR downgrades
System.Runtime.Caching
to6.0.0
, which should resolve the downstream dependency conflicts.Background
What happened?
The upgrade of
System.Runtime.Caching
from6.0.0
->8.0.0
caused no problems when upgrading Halibut in Tentacle, but caused conflicts when upgrading Tentacle in Octopus Server.The conflict was was due to multiple referenced versions (
6.0.0
and8.0.0
) of theSystem.Security.Cryptography.ProtectedData
library, which is a dependency of theSystem.Runtime.Caching
.Caching 8.0.0
depends onProtectedData 8.0.0
, but other existing dependencies in Server requireProtectedData 6.0.0
.Why downgrade?
Attempts to upgrade existing references to
ProtectedData 8.0.0
failed for unknown reasons, as dotnet itself gave some unhelpful error messages like this:NB: the error message says that v6 depends on... itself?
Downgrading
Caching
fixes the CVE by still removing references toSystem.Drawing.Common 5.0.0
from production code whilst not breaking downstream dependencies in Octopus Server.How to review this PR
Quality :heavy_check_mark:
Pre-requisites