Important: Security Advisory 2749655 affects WCF DS
What is the advisory?
Microsoft just released Security Advisory 2749655, which addresses “an issue involving specific digital certificates that were generated by Microsoft without the proper timestamp attributes.” If you are using WCF Data Services 5.0.1 or have previously installed the WCF Data Services MSI from the download center, you may run into this issue.
Does this issue create a security vulnerability?
The advisory notes that “this is not a security issue”, meaning that this issue is not creating a vulnerability. However, there could be a combination of factors which might cause a WCF Data Service to stop working, or cause our installer to fail to install. Microsoft recommends that you “apply the KB 2749655 update and any rereleased updates addressing this issue immediately”.
I installed WCF Data Services 5.0 or 5.0.1. What do I need to do?
There are up to three actions WCF Data Services customers should take:
- We recommend that you install the KB referenced above
- If you installed the WCF Data Services 5.0 MSI before Sept 26, 2012, you should download and install the replacement version of this MSI
- If you have a dependency on the WCF Data Services NuGet package, we recommend that you upgrade to 5.0.2; this should not make any functional difference since we only expect people will run into problems on install/uninstall, however updating these DLLs would ensure that you have validly signed DLLs
Our NuGet packages are:
- Microsoft.Data.Services.Client (WCF Data Services Client)
- Microsoft.Data.Services (WCF Data Services Server)
- Microsoft.Data.OData (ODataLib)
- Microsoft.Data.Edm (EdmLib)
- System.Spatial (System.Spatial)