locked
@Update available for WCF Data Services 5.0.0 RRS feed

  • Question

  • Hi Beth,

    A bit confused about this the update, we're just moved to 2012 and the data service download & main forum are only referencing 2010 for this version, plus the main data services forum has a higher version on it (5.2.0 http://blogs.msdn.com/b/astoriateam/) Please can you verify using LS2 and 2012 which version we need to pull down and pls pls pls what bug fixes might directly effect LS :)

    thanks

    Tuesday, December 18, 2012 12:56 PM

Answers

  • The OData team has two "trains" of OData, 5.0 and 5.2.  5.2 has many new features in it and may not be backwards compatible with VS 2012 / LIGHTSWITCH "V2".

    We will be incorporating newer versions of OData in newer releases of LIGHTSWITCH.

    Version 5.0 is what shipped with VS2012 / LIGHTSWITCH V2, and this is the version you should already have installed.  Yesterday, the OData team released an update to 5.0, to service existing customers who cannot move to 5.2 yet.  If you go to the 5.0 download page you'll see that it was last updated yesterday.

    We tested the new release of 5.0 against VS 2012 / LIGHTSWITCH V2 and detected no regressions.

    We have not tested OData 5.2 against VS 2012 / LIGHTSWITCH V2 and do not plan to.

    There was a denial of service vulnerability in OData 5.0; the new 5.0 bits released yesterday address this issue.

    An attacker, using a custom program like Fiddler or a tool they wrote themselves, could craft an invalid message that would cause the LS server to use 100% cpu.  Note that if you are using authentication in LIGHTSWITCH, we think the attacker would need to be an authenticated user before the attack could succeed.

    We recommend you update your dev machines and published apps to the newer OData 5.0 release, where this security problem has been fixed. But if you require authentication on your LS apps, and trust all of your users to behave themselves and not share their accounts or passwords with bad guys, you should be ok without doing the upgrade.

    So the short version is: Don't Panic, but we thought we should pass this info along.

    • Marked as answer by deanvanrooyen Tuesday, December 18, 2012 5:25 PM
    Tuesday, December 18, 2012 4:29 PM

All replies

  • The OData team has two "trains" of OData, 5.0 and 5.2.  5.2 has many new features in it and may not be backwards compatible with VS 2012 / LIGHTSWITCH "V2".

    We will be incorporating newer versions of OData in newer releases of LIGHTSWITCH.

    Version 5.0 is what shipped with VS2012 / LIGHTSWITCH V2, and this is the version you should already have installed.  Yesterday, the OData team released an update to 5.0, to service existing customers who cannot move to 5.2 yet.  If you go to the 5.0 download page you'll see that it was last updated yesterday.

    We tested the new release of 5.0 against VS 2012 / LIGHTSWITCH V2 and detected no regressions.

    We have not tested OData 5.2 against VS 2012 / LIGHTSWITCH V2 and do not plan to.

    There was a denial of service vulnerability in OData 5.0; the new 5.0 bits released yesterday address this issue.

    An attacker, using a custom program like Fiddler or a tool they wrote themselves, could craft an invalid message that would cause the LS server to use 100% cpu.  Note that if you are using authentication in LIGHTSWITCH, we think the attacker would need to be an authenticated user before the attack could succeed.

    We recommend you update your dev machines and published apps to the newer OData 5.0 release, where this security problem has been fixed. But if you require authentication on your LS apps, and trust all of your users to behave themselves and not share their accounts or passwords with bad guys, you should be ok without doing the upgrade.

    So the short version is: Don't Panic, but we thought we should pass this info along.

    • Marked as answer by deanvanrooyen Tuesday, December 18, 2012 5:25 PM
    Tuesday, December 18, 2012 4:29 PM
  • thanks!!!
    Tuesday, December 18, 2012 5:25 PM
  • Hi Matt,

    Have you guys had any feedback on odata and the extra fluff it pushes down the wire?

    Tuesday, December 18, 2012 6:20 PM
  • Good to know there will be future releases of LightSwitch :)
    Wednesday, December 19, 2012 3:39 AM
  • Hi Matt,

    will LS support json odata, this would help with the payloads

    thanks

    Wednesday, December 19, 2012 9:22 AM
  • Yes, we are aware that the wire protocol got more bloated between V1 and V2 as a result of moving to OData, and we have detailed measurements about our performance changes between V1 and V2.

    We're also aware of what the OData team has done after the 5.0 release to help with the payload size.

    As far as there being a future release of LIGHTSWITCH -- as long as my badge lets me in the building each morning, I operate under the assumption that we're going to release a new version at some point.  That's all :)

    Wednesday, December 19, 2012 3:31 PM