Synopsis
Moderate: .NET Core on Red Hat Enterprise Linux security and bug fix update
Type/Severity
Security Advisory: Moderate
Topic
Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore, rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now available for .NET Core on Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core 1.0.16, 1.1.13, 2.1.11, and 2.2.5.
Security Fix(es):
- dotNET: timeouts for regular expressions are not enforced (CVE-2019-0820)
- dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0980)
- dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0981)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Re-enable bash completion in rh-dotnet22-dotnet (BZ#1654863)
- Error rebuilding rh-dotnet22-curl in CentOS (BZ#1678932)
- Broken apphost caused by unset DOTNET_ROOT (BZ#1703479)
- Make bash completion compatible with rh-dotnet22 packages (BZ#1705259)
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
Affected Products
-
dotNET on RHEL (for RHEL Server) 1 x86_64
-
dotNET on RHEL (for RHEL Workstation) 1 x86_64
-
dotNET on RHEL (for RHEL Compute Node) 1 x86_64
Fixes
- BZ - 1654863 - Re-enable bash completion in rh-dotnet22-dotnet
- BZ - 1678932 - Error rebuilding rh-dotnet22-curl in CentOS
- BZ - 1703479 - Broken apphost caused by unset DOTNET_ROOT
- BZ - 1703508 - Update to .NET Core 1.1.13
- BZ - 1704454 - Update to .NET Core 1.0.16
- BZ - 1704934 - Update to .NET Core Runtime 2.2.5 and SDK 2.2.107
- BZ - 1705147 - Update to .NET Core Runtime 2.1.11 and SDK 2.1.507
- BZ - 1705259 - Make bash completion compatible with rh-dotnet22 packages
- BZ - 1705502 - CVE-2019-0980 dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service
- BZ - 1705504 - CVE-2019-0981 dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service
- BZ - 1705506 - CVE-2019-0820 dotNET: timeouts for regular expressions are not enforced
CVEs
References