Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 510
Alerts This Week
Warning Icon 1 510

Ubuntu 23.04 USN-6161-2 Moderate: Fix for .NET Certificate Imports

ubuntu
Calendar Grey June 23, 2023
Dist Ubuntu Esm H88
Resolve .NET regression issues in Ubuntu affecting certificate imports with improved security update guidance.
USN 6161-1 introduced a regression in .NET that could incorrectly cause X.509 certificate imports to fail when they should succeed.

Summary

USN 6161-1 introduced a regression in .NET that could incorrectly

cause X.509 certificate imports to fail when they should succeed.

Software Description:

- dotnet6: dotNET CLI tools and runtime

- dotnet7: dotNET CLI tools and runtime

Details:

USN-6161-1 fixed vulnerabilities in .NET. The update introduced

a regression with regards to how the runtime imported X.509

certificates. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that .NET did not properly enforce certain

 restrictions when deserializing a DataSet or DataTable from

 XML. An attacker could possibly use this issue to elevate their

 privileges. (CVE-2023-24936)

 Kevin Jones discovered that .NET did not properly handle the

 AIA fetching process for X.509 client certificates. An attacker

 could possibly use this issue to cause a denial of service.

 (CVE-2023-29331)

 Kalle Niemitalo discovered that the .NET p...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~23.04.1
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~23.04.1
    dotnet-host                            6.0.118-0ubuntu1~23.04.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~23.04.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~23.04.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~23.04.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~23.04.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~23.04.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~23.04.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~23.04.1
    dotnet6 6.0.118-0ubuntu1~23.04.1
    dotnet7 7.0.107-0ubuntu1~23.04.1

Ubuntu 22.10:
    aspnetcore-runtime-6.0         6.0.118-0ubuntu1~22.10.1
    aspnetcore-runtime-7.0         7.0.107-0ubuntu1~22.10.1
    dotnet-host 6.0.118-0ubuntu1~22.10.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.10.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.10.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.10.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.10.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.10.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.10.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.10.1
    dotnet6 6.0.118-0ubuntu1~22.10.1
    dotnet7 7.0.107-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:
    aspnetcore-runtime-6.0          6.0.118-0ubuntu1~22.04.1
    aspnetcore-runtime-7.0          7.0.107-0ubuntu1~22.04.1
    dotnet-host 6.0.118-0ubuntu1~22.04.1
    dotnet-host-7.0                      7.0.107-0ubuntu1~22.04.1
    dotnet-hostfxr-6.0                  6.0.118-0ubuntu1~22.04.1
    dotnet-hostfxr-7.0                  7.0.107-0ubuntu1~22.04.1
    dotnet-runtime-6.0                 6.0.118-0ubuntu1~22.04.1
    dotnet-runtime-7.0                 7.0.107-0ubuntu1~22.04.1
    dotnet-sdk-6.0                       6.0.118-0ubuntu1~22.04.1
    dotnet-sdk-7.0                       7.0.107-0ubuntu1~22.04.1
    dotnet6 6.0.118-0ubuntu1~22.04.1
    dotnet7 7.0.107-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-6161-2

https://bugs.launchpad.net/ubuntu/+source/dotnet7/+bug/2024893, https://bugs.launchpad.net/ubuntu/+source/dotnet6/+bug/2024894

June 23, 2023

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.