-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: dotnet security, bug fix, and enhancement update Advisory ID: RHSA-2019:1259-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2019:1259 Issue date: 2019-05-22 CVE Names: CVE-2019-0757 CVE-2019-0820 CVE-2019-0980 CVE-2019-0981 ==================================================================== 1. Summary: An update for dotnet is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux AppStream (v. 8) - x86_64 3. Description: .NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. A new version of .NET Core that address security vulnerabilities is now available. The updated version is .NET Core Runtime 2.1.11 and SDK 2.1.507. Security Fix(es): * dotnet: NuGet Tampering Vulnerability (CVE-2019-0757) * dotnet: timeouts for regular expressions are not enforced (CVE-2019-0820) * dotnet: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0980) * dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0981) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es): * dotnet: new SocketException((int)SocketError.InvalidArgument).Message is empty (BZ#1712471) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1685475 - CVE-2019-0757 dotnet: NuGet Tampering Vulnerability 1696836 - Update .NET Core 2.1 to Runtime 2.1.10 and SDK 2.1.506 1705502 - CVE-2019-0980 dotnet: infinite loop in Uri.TryCreate leading to ASP.Net Core Denial of Service 1705504 - CVE-2019-0981 dotnet: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service 1705506 - CVE-2019-0820 dotnet: timeouts for regular expressions are not enforced 1710068 - Update .NET Core 2.1 to Runtime 2.1.11 and SDK 2.1.507 1712471 - new SocketException((int)SocketError.InvalidArgument).Message is empty 6. Package List: Red Hat Enterprise Linux AppStream (v. 8): Source: dotnet-2.1.507-2.el8_0.src.rpm x86_64: dotnet-2.1.507-2.el8_0.x86_64.rpm dotnet-debuginfo-2.1.507-2.el8_0.x86_64.rpm dotnet-debugsource-2.1.507-2.el8_0.x86_64.rpm dotnet-host-2.1.11-2.el8_0.x86_64.rpm dotnet-host-debuginfo-2.1.11-2.el8_0.x86_64.rpm dotnet-host-fxr-2.1-2.1.11-2.el8_0.x86_64.rpm dotnet-host-fxr-2.1-debuginfo-2.1.11-2.el8_0.x86_64.rpm dotnet-runtime-2.1-2.1.11-2.el8_0.x86_64.rpm dotnet-runtime-2.1-debuginfo-2.1.11-2.el8_0.x86_64.rpm dotnet-sdk-2.1-2.1.507-2.el8_0.x86_64.rpm dotnet-sdk-2.1.5xx-2.1.507-2.el8_0.x86_64.rpm dotnet-sdk-2.1.5xx-debuginfo-2.1.507-2.el8_0.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-0757 https://access.redhat.com/security/cve/CVE-2019-0820 https://access.redhat.com/security/cve/CVE-2019-0980 https://access.redhat.com/security/cve/CVE-2019-0981 https://access.redhat.com/security/updates/classification/#important https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0757 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0820 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0980 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0981 https://github.com/dotnet/core/blob/master/release-notes/2.1/2.1.11/2.1.11.md 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXOUjC9zjgjWX9erEAQijlA//ZpCMAwMddsDWWzW0pVP6ne4fAGnloPLS lxiZntJ7Pw+6z0PKDXnwVbJsI1O+FvDggblYb7ahlVcpqhcIJtET9V5hb/luE/MC uplpk05Fuqkd+niAlHnUP/5eMv1pRNIOoKVLLdfSjskYm0MirRgvs1ZVttttsynE A1s5HCVxcUjLWH/coYOVDttTo1ZiJjsQU7HWF74TPHq+t2nTf1Q9cz329NYLPCcN yPrGfD2RaBfA7Wx8yVzDYVBo0dsvsixaruaSSwT+RRQj/vDnoEY+rGeqYRBgHe9V qvZnNcMC5eizOtzfzrfnMibuHcN/zeOG+NHDNvcbvwQcGi7RRlYx6q5O0ZQ9KudA NYh76/RAyQ9CwnilMBC/aX7zPQ9OHFauEpEovCvUkCpCTItPNKlZrq6o6xaEMtcb xFmbAjMiJoHzrSUcfnt3PG/IMx2TSMIfc8bsBQF2XIohzulTfPpsLge+AgJqqJw9 VfeHlcNlIAh+e93X9/urCEhBJs+pWZx9VVd/xmRZzcYlBf2bBUDKEksCJkL2nT46 WuOoKRAszbfAJbgft8Z+nhP3fm281sp83/LSJ9K60NwHmmgddNEyrP7RvodBHLSA oJ6ocMgnBVHLmvs+jdDINNL+ImY838taY5DuxC18FrFSji6iqQK0dblFe8p6iloQ roCC4T9QbTcÍSb -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce