Executive Summary

Summary
Title .NET Core on Red Hat Enterprise Linux security and bug fix update
Informations
Name RHSA-2019:1236 First vendor Publication 2019-05-15
Vendor RedHat Last vendor Modification 2019-05-15
Severity (Vendor) N/A Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updates for rh-dotnetcore10-dotnetcore, rh-dotnetcore11-dotnetcore, rh-dotnet21-dotnet, rh-dotnet22-dotnet and rh-dotnet22-curl are now available for .NET Core on Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64 .NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET Core that address security vulnerabilities are now available. The updated versions are .NET Core 1.0.16, 1.1.13, 2.1.11, and 2.2.5.

Security Fix(es):

* dotNET: timeouts for regular expressions are not enforced (CVE-2019-0820)

* dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0980)

* dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service (CVE-2019-0981)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

* Re-enable bash completion in rh-dotnet22-dotnet (BZ#1654863)

* Error rebuilding rh-dotnet22-curl in CentOS (BZ#1678932)

* Broken apphost caused by unset DOTNET_ROOT (BZ#1703479)

* Make bash completion compatible with rh-dotnet22 packages (BZ#1705259)

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1654863 - Re-enable bash completion in rh-dotnet22-dotnet 1678932 - Error rebuilding rh-dotnet22-curl in CentOS 1703479 - Broken apphost caused by unset DOTNET_ROOT 1703508 - Update to .NET Core 1.1.13 1704454 - Update to .NET Core 1.0.16 1704934 - Update to .NET Core Runtime 2.2.5 and SDK 2.2.107 1705147 - Update to .NET Core Runtime 2.1.11 and SDK 2.1.507 1705259 - Make bash completion compatible with rh-dotnet22 packages 1705502 - CVE-2019-0980 dotNET: infinite loop in URI.TryCreate leading to ASP.Net Core Denial of Service 1705504 - CVE-2019-0981 dotNET: crash in IPAddress.TryCreate leading to ASP.Net Core Denial of Service 1705506 - CVE-2019-0820 dotNET: timeouts for regular expressions are not enforced

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2019-1236.html

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-19 Data Handling
33 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 4
Os 1
Os 4
Os 3
Os 3

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-03-19 13:18:24
  • First insertion