Ubuntu Security Notice 6161-1 - It was discovered that .NET did not properly enforce certain restrictions when deserializing a DataSet or DataTable from XML. An attacker could possibly use this issue to elevate their privileges. Kevin Jones discovered that .NET did not properly handle the AIA fetching process for X.509 client certificates. An attacker could possibly use this issue to cause a denial of service.
d9a88210f8d5a28da35d8d47eaac79e52239e45f7bc38b4cca8e4ed63b990813
==========================================================================
Ubuntu Security Notice USN-6161-1
June 13, 2023
dotnet6, dotnet7 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in .NET.
Software Description:
- dotnet6: dotNET CLI tools and runtime
- dotnet7: dotNET CLI tools and runtime
Details:
It was discovered that .NET did not properly enforce certain
restrictions when deserializing a DataSet or DataTable from
XML. An attacker could possibly use this issue to elevate their
privileges. (CVE-2023-24936)
Kevin Jones discovered that .NET did not properly handle the
AIA fetching process for X.509 client certificates. An attacker
could possibly use this issue to cause a denial of service.
(CVE-2023-29331)
Kalle Niemitalo discovered that the .NET package manager,
NuGet, was susceptible to a potential race condition. An
attacker could possibly use this issue to perform remote
code execution. (CVE-2023-29337)
Tom Deseyn discovered that .NET did not properly process certain
arguments when extracting the contents of a tar file. An attacker
could possibly use this issue to elevate their privileges. This
issue only affected the dotnet7 package. (CVE-2023-32032)
It was discovered that .NET did not properly handle memory in
certain circumstances. An attacker could possibly use this issue
to cause a denial of service or perform remote code execution.
(CVE-2023-33128)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~23.04.1
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~23.04.1
dotnet-host 6.0.118-0ubuntu1~23.04.1
dotnet-host-7.0 7.0.107-0ubuntu1~23.04.1
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~23.04.1
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~23.04.1
dotnet-runtime-6.0 6.0.118-0ubuntu1~23.04.1
dotnet-runtime-7.0 7.0.107-0ubuntu1~23.04.1
dotnet-sdk-6.0 6.0.118-0ubuntu1~23.04.1
dotnet-sdk-7.0 7.0.107-0ubuntu1~23.04.1
dotnet6 6.0.118-0ubuntu1~23.04.1
dotnet7 7.0.107-0ubuntu1~23.04.1
Ubuntu 22.10:
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~22.10.1
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~22.10.1
dotnet-host 6.0.118-0ubuntu1~22.10.1
dotnet-host-7.0 7.0.107-0ubuntu1~22.10.1
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~22.10.1
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~22.10.1
dotnet-runtime-6.0 6.0.118-0ubuntu1~22.10.1
dotnet-runtime-7.0 7.0.107-0ubuntu1~22.10.1
dotnet-sdk-6.0 6.0.118-0ubuntu1~22.10.1
dotnet-sdk-7.0 7.0.107-0ubuntu1~22.10.1
dotnet6 6.0.118-0ubuntu1~22.10.1
dotnet7 7.0.107-0ubuntu1~22.10.1
Ubuntu 22.04 LTS:
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~22.04.1
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~22.04.1
dotnet-host 6.0.118-0ubuntu1~22.04.1
dotnet-host-7.0 7.0.107-0ubuntu1~22.04.1
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~22.04.1
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~22.04.1
dotnet-runtime-6.0 6.0.118-0ubuntu1~22.04.1
dotnet-runtime-7.0 7.0.107-0ubuntu1~22.04.1
dotnet-sdk-6.0 6.0.118-0ubuntu1~22.04.1
dotnet-sdk-7.0 7.0.107-0ubuntu1~22.04.1
dotnet6 6.0.118-0ubuntu1~22.04.1
dotnet7 7.0.107-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6161-1
CVE-2023-24936, CVE-2023-29331, CVE-2023-29337, CVE-2023-32032,
CVE-2023-33128
Package Information:
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.118-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.107-0ubuntu1~22.04.1