Red Hat Security Advisory 2022-4588-01

Red Hat Security Advisory 2022-4588-01: Posted Jun 3, 2022; Authored by Red Hat | Site access.redhat.com; Red Hat Security Advisory 2022-4588-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET Core that address a security vulnerability are now available. The updated versions are .NET Core SDK 6.0.105 and .NET Core Runtime 6.0.5. Issues addressed include a denial of service vulnerability.; tags | advisory, denial of service; systems | linux, redhat; advisories | CVE-2022-23267, CVE-2022-29117, CVE-2022-29145; SHA-256 | e1971d19e1665c5518102e6ba41c086c25ba5a18576970a4ff15806c40e1cdef; Download | Favorite | View

Red Hat Security Advisory 2022-4588-01

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: .NET 6.0 security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:4588-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:4588
Issue date:        2022-05-18
CVE Names:         CVE-2022-23267 CVE-2022-29117 CVE-2022-29145 
=====================================================================

1. Summary:

An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat CodeReady Linux Builder (v. 9) - aarch64, s390x, x86_64
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, s390x, x86_64

3. Description:

.NET is a managed-software framework. It implements a subset of the .NET
framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET Core that address a security vulnerability are now
available. The updated versions are .NET Core SDK 6.0.105 and .NET Core
Runtime
6.0.5.

Security Fix(es):

* dotnet: excess memory allocation via HttpClient causes DoS
(CVE-2022-23267)

* dotnet: malicious content causes high CPU and memory usage
(CVE-2022-29117)

* dotnet: parsing HTML causes Denial of Service (CVE-2022-29145)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Bug Fix(es):

* Update .NET 6.0 to SDK 6.0.104 and Runtime 6.0.4 (BZ#2080460)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

2083647 - CVE-2022-29117 dotnet: malicious content causes high CPU and memory usage
2083649 - CVE-2022-29145 dotnet: parsing HTML causes Denial of Service
2083650 - CVE-2022-23267 dotnet: excess memory allocation via HttpClient causes DoS

6. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
dotnet6.0-6.0.105-1.el9_0.src.rpm

aarch64:
aspnetcore-runtime-6.0-6.0.5-1.el9_0.aarch64.rpm
aspnetcore-targeting-pack-6.0-6.0.5-1.el9_0.aarch64.rpm
dotnet-apphost-pack-6.0-6.0.5-1.el9_0.aarch64.rpm
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-host-6.0.5-1.el9_0.aarch64.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-hostfxr-6.0-6.0.5-1.el9_0.aarch64.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-runtime-6.0-6.0.5-1.el9_0.aarch64.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-sdk-6.0-6.0.105-1.el9_0.aarch64.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.aarch64.rpm
dotnet-targeting-pack-6.0-6.0.5-1.el9_0.aarch64.rpm
dotnet-templates-6.0-6.0.105-1.el9_0.aarch64.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.aarch64.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.aarch64.rpm
netstandard-targeting-pack-2.1-6.0.105-1.el9_0.aarch64.rpm

s390x:
aspnetcore-runtime-6.0-6.0.5-1.el9_0.s390x.rpm
aspnetcore-targeting-pack-6.0-6.0.5-1.el9_0.s390x.rpm
dotnet-apphost-pack-6.0-6.0.5-1.el9_0.s390x.rpm
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-host-6.0.5-1.el9_0.s390x.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-hostfxr-6.0-6.0.5-1.el9_0.s390x.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-runtime-6.0-6.0.5-1.el9_0.s390x.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-sdk-6.0-6.0.105-1.el9_0.s390x.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.s390x.rpm
dotnet-targeting-pack-6.0-6.0.5-1.el9_0.s390x.rpm
dotnet-templates-6.0-6.0.105-1.el9_0.s390x.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.s390x.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.s390x.rpm
netstandard-targeting-pack-2.1-6.0.105-1.el9_0.s390x.rpm

x86_64:
aspnetcore-runtime-6.0-6.0.5-1.el9_0.x86_64.rpm
aspnetcore-targeting-pack-6.0-6.0.5-1.el9_0.x86_64.rpm
dotnet-apphost-pack-6.0-6.0.5-1.el9_0.x86_64.rpm
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-host-6.0.5-1.el9_0.x86_64.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-hostfxr-6.0-6.0.5-1.el9_0.x86_64.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-runtime-6.0-6.0.5-1.el9_0.x86_64.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-sdk-6.0-6.0.105-1.el9_0.x86_64.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.x86_64.rpm
dotnet-targeting-pack-6.0-6.0.5-1.el9_0.x86_64.rpm
dotnet-templates-6.0-6.0.105-1.el9_0.x86_64.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.x86_64.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.x86_64.rpm
netstandard-targeting-pack-2.1-6.0.105-1.el9_0.x86_64.rpm

Red Hat CodeReady Linux Builder (v. 9):

aarch64:
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.aarch64.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.aarch64.rpm
dotnet-sdk-6.0-source-built-artifacts-6.0.105-1.el9_0.aarch64.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.aarch64.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.aarch64.rpm

s390x:
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.s390x.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.s390x.rpm
dotnet-sdk-6.0-source-built-artifacts-6.0.105-1.el9_0.s390x.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.s390x.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.s390x.rpm

x86_64:
dotnet-apphost-pack-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-host-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-hostfxr-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-runtime-6.0-debuginfo-6.0.5-1.el9_0.x86_64.rpm
dotnet-sdk-6.0-debuginfo-6.0.105-1.el9_0.x86_64.rpm
dotnet-sdk-6.0-source-built-artifacts-6.0.105-1.el9_0.x86_64.rpm
dotnet6.0-debuginfo-6.0.105-1.el9_0.x86_64.rpm
dotnet6.0-debugsource-6.0.105-1.el9_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2022-23267
https://access.redhat.com/security/cve/CVE-2022-29117
https://access.redhat.com/security/cve/CVE-2022-29145
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYpn+t9zjgjWX9erEAQgs6g/+P79AtYxChNq2A8vD5SfHUz4h+ItbDaKI
SMNwPUG37gTkUvT599LD4c8GKTUR1emhUDnulDsh8VydNrgUQByfoAkWeGvruMFp
X5fO29wIYvYStZIJ3283dVqz6tE2i+UuLPPbExESyMZMWASmH8r59oHhnP0aO9Ra
GeDkRp5anK1CcL7LUZc8pAkaeQ18HIiaSheXNY2mN9mws5wKjsIEaXExuDDRdBIQ
dW44BdXYRr6i5Z95NHhrVQ5CyiEB5+H/OvV3N3croJkD/n9qg1b+mKFw2QgwCWUn
2/8qzvKBOY98n99lxL51sukGA7oE+TTT5geFF9e3ia6nH5mFYcqFhKETHVIg8QHX
38ov8/LmEJ6heNh2Z50pDwAXejliO53VJmcWgI+uSASC8AaGwWNGMgPsf/mQ/jAO
vig9hCOCPIzLKrQ3nK8oPdGKlEb61oiaqudN++IwNiGbwg/KoX/pZ3sHHgY980Mi
b1ceAywsCuCzQIkFqS0ILPRpl3u1K3gAVs/RI7TPRCxcY3+OuBI4ParaCgoAxF7d
69mhSzw9fNFPBk3Co4rRtHLDj7ZnRkhE/gEVjMDw4QcwjYUavqb89RaJB4Ca1fcA
motATzCZhDU0p069Yl/wUoS7MeVv5DhUQU/dExcxVdSgEhHvI/u56wso3MlTXOpl
JmsjgpNZyTw=
=JMkW
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Top Authors In Last 30 Days

Red Hat 232 files
Ubuntu 59 files
Debian 27 files
Valentin Lobstein 11 files
LiquidWorm 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,318)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,567)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,456)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Red Hat Security Advisory 2022-4588-01

Red Hat Security Advisory 2022-4588-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Red Hat Security Advisory 2022-4588-01

Share This

Red Hat Security Advisory 2022-4588-01

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems