Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 573
Alerts This Week
Warning Icon 1 573

RedHat Enterprise Linux: RHSA-2019-1236 Moderate: .NET Core DoS Threat

red hat
Calendar Grey May 15, 2019
Dist Redhat Esm H88
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ====================================================
Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore, rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now available for .NET Core on Red Hat Enterpris...

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Summary

.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core 1.0.16, 1.1.13, 2.1.11, and 2.2.5.
Security Fix(es):
* dotNET: timeouts for regular expressions are not enforced (CVE-2019-0820)
* dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0980)
* dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0981)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
* Re-enable bash completion in rh-dotnet22-dotnet (BZ#1654863)
* Error rebuilding rh-dotnet22-curl in CentOS (BZ#1678932)
* Broken apphost caused by unset DOTNET_ROOT (BZ#1703479)
* Make bash completion compatible with rh-dotnet22 packages (BZ#1705259)

References

https://access.redhat.com/security/cve/CVE-2019-0820 https://access.redhat.com/security/cve/CVE-2019-0980 https://access.redhat.com/security/cve/CVE-2019-0981 https://access.redhat.com/security/updates/classification/#moderate

Package List

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnetcore10-dotnetcore-1.0.16-1.el7.src.rpm
x86_64: rh-dotnetcore10-dotnetcore-1.0.16-1.el7.x86_64.rpm rh-dotnetcore10-dotnetcore-debuginfo-1.0.16-1.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnetcore11-dotnetcore-1.1.13-1.el7.src.rpm
x86_64: rh-dotnetcore11-dotnetcore-1.1.13-1.el7.x86_64.rpm rh-dotnetcore11-dotnetcore-debuginfo-1.1.13-1.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnet21-2.1-10.el7.src.rpm rh-dotnet21-dotnet-2.1.507-2.el7.src.rpm
x86_64: rh-dotnet21-2.1-10.el7.x86_64.rpm rh-dotnet21-dotnet-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-debuginfo-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-host-2.1.11-2.el7.x86_64.rpm rh-dotnet21-dotnet-runtime-2.1-2.1.11-2.el7.x86_64.rpm rh-dotnet21-dotnet-sdk-2.1-2.1.507-2.el7.x86_64.rpm rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.507-2.el7.x86_64.rpm rh-dotnet21-runtime-2.1-10.el7.x86_64.rpm
.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):
Source: rh-dotnet22-2.2-7.el7.src.rpm rh-dotnet22-curl-7.61.1-2.el7.src.rpm rh-dotnet22-dotnet-2.2.107-2.el7.src.rpm
x86_64: rh-dotnet22-2.2-7.el7.x86_64.rpm rh-dotnet22-curl-7.61.1-2.el7.x86_64.rpm rh-dotnet22-curl-debuginfo-7.61.1-2.el7.x86_64.rpm

Read the Full Advisory


Advisory ID: RHSA-2019:1236-01
Product: .NET Core on Red Hat Enterprise Linux
Issue date: 2019-05-15

Topic

Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore,rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are nowavailable for .NET Core on Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.

Relevant Releases Architectures

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64

.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64

.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Bugs Fixed

1654863 - Re-enable bash completion in rh-dotnet22-dotnet

1678932 - Error rebuilding rh-dotnet22-curl in CentOS

1703479 - Broken apphost caused by unset DOTNET_ROOT

1703508 - Update to .NET Core 1.1.13

1704454 - Update to .NET Core 1.0.16

1704934 - Update to .NET Core Runtime 2.2.5 and SDK 2.2.107

1705147 - Update to .NET Core Runtime 2.1.11 and SDK 2.1.507

1705259 - Make bash completion compatible with rh-dotnet22 packages

1705502 - CVE-2019-0980 dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service

1705504 - CVE-2019-0981 dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service

1705506 - CVE-2019-0820 dotNET: timeouts for regular expressions are not enforced

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.