Ubuntu Security Notice 7058-1 - Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. It was discovered that .NET components designed to process malicious input were susceptible to hash flooding attacks. An attacker could possibly use this issue to cause a denial of service, resulting in a crash.
7c2a72d2e3f5c488eca942d9bdc22357a2db233048ced41c29d92e7a98552b28==========================================================================
Ubuntu Security Notice USN-7058-1
October 08, 2024
dotnet6, dotnet8 vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
Summary:
Several security issues were fixed in dotnet6, dotnet8.
Software Description:
- dotnet8: .NET CLI tools and runtime
- dotnet6: .NET CLI tools and runtime
Details:
Brennan Conroy discovered that the .NET Kestrel web server did not
properly handle closing HTTP/3 streams under certain circumstances. An
attacker could possibly use this issue to achieve remote code execution.
This vulnerability only impacted Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.
(CVE-2024-38229)
It was discovered that .NET components designed to process malicious input
were susceptible to hash flooding attacks. An attacker could possibly use
this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43483)
It was discovered that the .NET System.IO.Packaging namespace did not
properly process SortedList data structures. An attacker could possibly
use this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43484)
It was discovered that .NET did not properly handle the deserialization of
of certain JSON properties. An attacker could possibly use this issue to
cause a denial of service, resulting in a crash. (CVE-2024-43485)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
aspnetcore-runtime-8.0 8.0.10-0ubuntu1~24.04.1
dotnet-host-8.0 8.0.10-0ubuntu1~24.04.1
dotnet-hostfxr-8.0 8.0.10-0ubuntu1~24.04.1
dotnet-runtime-8.0 8.0.10-0ubuntu1~24.04.1
dotnet-sdk-8.0 8.0.110-0ubuntu1~24.04.1
dotnet8 8.0.110-8.0.10-0ubuntu1~24.04.1
Ubuntu 22.04 LTS
aspnetcore-runtime-6.0 6.0.135-0ubuntu1~22.04.1
aspnetcore-runtime-8.0 8.0.10-0ubuntu1~22.04.1
dotnet-host 6.0.135-0ubuntu1~22.04.1
dotnet-host-8.0 8.0.10-0ubuntu1~22.04.1
dotnet-hostfxr-6.0 6.0.135-0ubuntu1~22.04.1
dotnet-hostfxr-8.0 8.0.10-0ubuntu1~22.04.1
dotnet-runtime-6.0 6.0.135-0ubuntu1~22.04.1
dotnet-runtime-8.0 8.0.10-0ubuntu1~22.04.1
dotnet-sdk-6.0 6.0.135-0ubuntu1~22.04.1
dotnet-sdk-8.0 8.0.110-0ubuntu1~22.04.1
dotnet6 6.0.135-0ubuntu1~22.04.1
dotnet8 8.0.110-8.0.10-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7058-1
CVE-2024-38229, CVE-2024-43483, CVE-2024-43484, CVE-2024-43485
Package Information:
https://launchpad.net/ubuntu/+source/dotnet8/8.0.110-8.0.10-0ubuntu1~24.04.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.135-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet8/8.0.110-8.0.10-0ubuntu1~22.04.1
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed