Alerts This Week
Warning Icon 1 646
Alerts This Week
Warning Icon 1 646

RedHat Enterprise Linux: RHSA-2019-1236 Moderate: .NET Core DoS Threat

Calendar May 15, 2019 User Avatar LinuxSecurity Advisories
5 - 10 min read
Redhat Large Esm H500
Topics%20covered

Topics Covered

security advisory security fix red hat enterprise linux dos threat moderate security impact dotnet core
Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore, rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now available for .NET Core on Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: .NET Core on Red Hat Enterprise Linux security and bug fix update
Advisory ID:       RHSA-2019:1236-01
Product:           .NET Core on Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2019:1236
Issue date:        2019-05-15
CVE Names:         CVE-2019-0820 CVE-2019-0980 CVE-2019-0981 
====================================================================
1. Summary:

Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore,
rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now
available for .NET Core on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the
.NET framework APIs and several new APIs, and it includes a CLR
implementation.

New versions of .NET Core that address security vulnerabilities are now
available. The updated versions are .NET Core 1.0.16, 1.1.13, 2.1.11, and
2.2.5.

Security Fix(es):

* dotNET: timeouts for regular expressions are not enforced (CVE-2019-0820)

* dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of
Service (CVE-2019-0980)

* dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of
Service (CVE-2019-0981)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Re-enable bash completion in rh-dotnet22-dotnet (BZ#1654863)

* Error rebuilding rh-dotnet22-curl in CentOS (BZ#1678932)

* Broken apphost caused by unset DOTNET_ROOT (BZ#1703479)

* Make bash completion compatible with rh-dotnet22 packages (BZ#1705259)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1654863 - Re-enable bash completion in rh-dotnet22-dotnet
1678932 - Error rebuilding rh-dotnet22-curl in CentOS
1703479 - Broken apphost caused by unset DOTNET_ROOT
1703508 - Update to .NET Core 1.1.13
1704454 - Update to .NET Core 1.0.16
1704934 - Update to .NET Core Runtime 2.2.5 and SDK 2.2.107
1705147 - Update to .NET Core Runtime 2.1.11 and SDK 2.1.507
1705259 - Make bash completion compatible with rh-dotnet22 packages
1705502 - CVE-2019-0980 dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service
1705504 - CVE-2019-0981 dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service
1705506 - CVE-2019-0820 dotNET: timeouts for regular expressions are not enforced

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.src.rpm

x86_64:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.x86_64.rpm
rh-dotnetcore10-dotnetcore-debuginfo-1.0.16-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.src.rpm

x86_64:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.x86_64.rpm
rh-dotnetcore11-dotnetcore-debuginfo-1.1.13-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnet21-2.1-10.el7.src.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-10.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-10.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnet22-2.2-7.el7.src.rpm
rh-dotnet22-curl-7.61.1-2.el7.src.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.src.rpm

x86_64:
rh-dotnet22-2.2-7.el7.x86_64.rpm
rh-dotnet22-curl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-curl-debuginfo-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-debuginfo-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-fxr-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-runtime-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2.1xx-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-libcurl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-libcurl-devel-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-runtime-2.2-7.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.src.rpm

x86_64:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.x86_64.rpm
rh-dotnetcore10-dotnetcore-debuginfo-1.0.16-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.src.rpm

x86_64:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.x86_64.rpm
rh-dotnetcore11-dotnetcore-debuginfo-1.1.13-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnet21-2.1-10.el7.src.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-10.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-10.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnet22-2.2-7.el7.src.rpm
rh-dotnet22-curl-7.61.1-2.el7.src.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.src.rpm

x86_64:
rh-dotnet22-2.2-7.el7.x86_64.rpm
rh-dotnet22-curl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-curl-debuginfo-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-debuginfo-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-fxr-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-runtime-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2.1xx-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-libcurl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-libcurl-devel-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-runtime-2.2-7.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.src.rpm

x86_64:
rh-dotnetcore10-dotnetcore-1.0.16-1.el7.x86_64.rpm
rh-dotnetcore10-dotnetcore-debuginfo-1.0.16-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.src.rpm

x86_64:
rh-dotnetcore11-dotnetcore-1.1.13-1.el7.x86_64.rpm
rh-dotnetcore11-dotnetcore-debuginfo-1.1.13-1.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnet21-2.1-10.el7.src.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-10.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.11-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.507-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-10.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnet22-2.2-7.el7.src.rpm
rh-dotnet22-curl-7.61.1-2.el7.src.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.src.rpm

x86_64:
rh-dotnet22-2.2-7.el7.x86_64.rpm
rh-dotnet22-curl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-curl-debuginfo-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-dotnet-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-debuginfo-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-host-fxr-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-runtime-2.2-2.2.5-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-dotnet-sdk-2.2.1xx-2.2.107-2.el7.x86_64.rpm
rh-dotnet22-libcurl-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-libcurl-devel-7.61.1-2.el7.x86_64.rpm
rh-dotnet22-runtime-2.2-7.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-0820
https://access.redhat.com/security/cve/CVE-2019-0980
https://access.redhat.com/security/cve/CVE-2019-0981
https://access.redhat.com/security/updates/classification/#moderate




8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXNyKvtzjgjWX9erEAQiFIQ//RuDdkjwFrjsW69TloyogPym1x5uZp2eB
hMR1l6l3YTE5ZIeCz7nn86P7IYtLAOiYj5ynjNbGT7aHrM7/R4REedYYqCFxWuu3
3N6vgg/ap1fB+0XdNX+PFNWm/orYRiVr6jyZs2hX4LSDLsQwHuOqVoDcApAHnggH
kCRpaxlTEaG9/wyIY3Zvd7ZasxfVUfzhlpzpw25kq6OFJyIokWnVE8G+vs5KS3GQ
pTir+3hMc3as8RQVCnWNZoeUhSUemZHvq5MyQqwLCeMFf6CvUTe04oDrMp7FUJHa
UcImbcSzzrx3kBvFFmIv6D1uCetuRTrMaXBuOlZcpCJUcnHncvb1OvFhqAeGO6uN
NqNnDyRUbyX2cHKpyYTUIfZsCsgKIOBHZNU911URlqnvHAu0LlgAOM0r1uXU48Wg
z+LtgnFTDbRmFEspKpN98z4whSL8BnMR8VS/FmPfXo2ApFvipofCK+kPStU0lXZB
n7xn4PJyKfst8xUkRfwJ09/GpN328i7QtH53aQG0HCQzKRhxswnc86aQnPW95RWP
DPd4EAB74Bq1pEYqRN/gai6bhFsoCS0agf+M7lqBN8ZnQOScj5HD5hy8fsPvB1xD
/I5I1sIOJ+Ar0FaCfZqFoXKncap0cp/bBJlHvfCpze4yISy7h6t2E/4l59Zs1xhm
KCZo5tPFVoU=dJ6F
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
This email address is being protected from spambots. You need JavaScript enabled to view it.

RedHat Enterprise Linux: RHSA-2019-1236 Moderate: .NET Core DoS Threat

red hat
Calendar Grey May 15, 2019
Dist Redhat Esm H88
Patches for .NET Core on Red Hat Enterprise Linux resolve concerns of moderate severity, with security enhancements now released.
Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore, rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now available for .NET Core on Red Hat Enterpris...

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core 1.0.16, 1.1.13, 2.1.11, and 2.2.5.
Security Fix(es):
* dotNET: timeouts for regular expressions are not enforced (CVE-2019-0820)
* dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0980)
* dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0981)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Re-enable bash completion in rh-dotnet22-dotnet (BZ#1654863)
* Error rebuilding rh-dotnet22-curl in CentOS (BZ#1678932)
* Broken apphost caused by unset DOTNET_ROOT (BZ#1703479)
* Make bash completion compatible with rh-dotnet22 packages (BZ#1705259)

Topics%20covered

Topics Covered

security advisory security fix red hat enterprise linux dos threat moderate security impact dotnet core

References

https://access.redhat.com/security/cve/CVE-2019-0820 https://access.redhat.com/security/cve/CVE-2019-0980 https://access.redhat.com/security/cve/CVE-2019-0981 https://access.redhat.com/security/updates/classification/#moderate

Package List

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnetcore10-dotnetcore-1.0.16-1.el7.src.rpm
x86_64: rh-dotnetcore10-dotnetcore-1.0.16-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.16-1.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnetcore11-dotnetcore-1.1.13-1.el7.src.rpm
x86_64: rh-dotnetcore11-dotnetcore-1.1.13-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.13-1.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnet21-2.1-10.el7.src.rpm rh-dotnet21-dotnet-2.1.507-2.el7.src.rpm
x86_64: rh-dotnet21-2.1-10.el7.x86_64.rpm rh-dotnet21-dotnet-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-debuginfo-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-host-2.1.11-2.el7.x86_64.rpm rh-dotnet21-dotnet-runtime-2.1-2.1.11-2.el7.x86_64.rpm rh-dotnet21-dotnet-sdk-2.1-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.507-2.el7.x86_64.rpm rh-dotnet21-runtime-2.1-10.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnet22-2.2-7.el7.src.rpm rh-dotnet22-curl-7.61.1-2.el7.src.rpm rh-dotnet22-dotnet-2.2.107-2.el7.src.rpm
x86_64: rh-dotnet22-2.2-7.el7.x86_64.rpm rh-dotnet22-curl-7.61.1-2.el7.x86_64.rpm rh-dotnet22-curl-debuginfo-7.61.1-2.el7.x86_64.rpm

Read the Full Advisory


Advisory ID: RHSA-2019:1236-01
Product: .NET Core on Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2019:1236
Issue date: 2019-05-15

Topic

Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore,rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are nowavailable for .NET Core on Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Topics%20covered

Topics Covered

security advisory security fix red hat enterprise linux dos threat moderate security impact dotnet core

Relevant Releases Architectures

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64

.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Bugs Fixed

1654863 - Re-enable bash completion in rh-dotnet22-dotnet

1678932 - Error rebuilding rh-dotnet22-curl in CentOS

1703479 - Broken apphost caused by unset DOTNET_ROOT

1703508 - Update to .NET Core 1.1.13

1704454 - Update to .NET Core 1.0.16

1704934 - Update to .NET Core Runtime 2.2.5 and SDK 2.2.107

1705147 - Update to .NET Core Runtime 2.1.11 and SDK 2.1.507

1705259 - Make bash completion compatible with rh-dotnet22 packages

1705502 - CVE-2019-0980 dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service

1705504 - CVE-2019-0981 dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service

1705506 - CVE-2019-0820 dotNET: timeouts for regular expressions are not enforced

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here