Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[BUG] File Version Not Updated For `Microsoft.Rest.ClientRuntime`

See original GitHub issue

Library name and version

Microsoft.Rest.ClientRuntime 2.3.24

Describe the bug

In this PR’s line: https://github.com/Azure/azure-sdk-for-net/pull/28169/files#diff-9b89241acf4c57c70a05219c00b631de104db571a0652b44944676866cd96dc9R6 the version number was updated to 2.3.24: https://github.com/Azure/azure-sdk-for-net/blob/962dc632e0873bfe39fb11d488bd69aaf89be4b1/sdk/mgmtcommon/ClientRuntime/ClientRuntime/Microsoft.Rest.ClientRuntime.csproj#L6

But the file version was not updated here: https://github.com/Azure/azure-sdk-for-net/blob/962dc632e0873bfe39fb11d488bd69aaf89be4b1/sdk/mgmtcommon/ClientRuntime/ClientRuntime/Properties/AssemblyInfo.cs#L12

Making this the properties: <image src="https://github.com/Azure/azure-sdk-for-net/assets/3475163/e698978f-b16e-4d55-8306-4648769534ef" width="50%" />

This matters because how desktop software MSI upgrades work. It will only replace a file if the version number has changed. And because it hasn’t upon doing an installation upgrade the original version is in the installation directory instead of the upgrade that has the security fix:

We might have a couple of short-term workarounds:

We could utilize a probing path; and install that file into a subdirectory. Upgrades then would have same file as a fresh install.
I think it is possible to change your binaries file’s version with a tool like rcedit (we won’t because that probably violates license agreements).

Expected behavior

The file version number matches the product version. Basically update this line: https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/mgmtcommon/ClientRuntime/ClientRuntime/Properties/AssemblyInfo.cs#L12

Actual behavior

File version didn’t get updated causing desktop upgrade to not update the file. Which means security vulnerability that was fixed won’t be picked up without a workaround.

Reproduction Steps

Not easy to make reproduction steps; but holler if additional information is needed.

Environment

I am using Visual Studio LTSC 17.4; but this isn’t related to my environment. Hope that helps!

Issue Analytics

State:
Created 2 months ago
Comments:5 (3 by maintainers)

Top GitHub Comments

2reactions

jsquirecommented, Jul 12, 2023

Thank you for your feedback. Tagging and routing to the team member best able to assist.

1reaction

ajorianscommented, Jul 24, 2023

Hi @ajorians , this package is an outdated management SDK that will no longer be supported after September. We recommend that you switch to our new Track 2 SDK as soon as possible. You can find the instructions for migrating to the new SDK here.

Hi @ArthurMa1978 ,

Thanks for the information. I wasn’t aware but am now; and will discuss the transition with my team. Thanks again 😃