[USN-6217-1] .NET vulnerability
Ian Constantin
ian.constantin at canonical.com
Tue Jul 11 20:16:11 UTC 2023
==========================================================================
Ubuntu Security Notice USN-6217-1
July 11, 2023
dotnet6, dotnet7 vulnerability
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS
Summary:
The maximum failed attempts security feature for .NET could be bypassed.
Software Description:
- dotnet6: dotNET CLI tools and runtime
- dotnet7: dotNET CLI tools and runtime
Details:
McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did
not properly update account lockout maximum failed attempts. An
attacker could possibly use this issue to bypass the security feature
and attempt to guess more passwords for an account.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.04:
aspnetcore-runtime-6.0 6.0.120-0ubuntu1~23.04.1
aspnetcore-runtime-7.0 7.0.109-0ubuntu1~23.04.1
dotnet-host 6.0.120-0ubuntu1~23.04.1
dotnet-host-7.0 7.0.109-0ubuntu1~23.04.1
dotnet-hostfxr-6.0 6.0.120-0ubuntu1~23.04.1
dotnet-hostfxr-7.0 7.0.109-0ubuntu1~23.04.1
dotnet-runtime-6.0 6.0.120-0ubuntu1~23.04.1
dotnet-runtime-7.0 7.0.109-0ubuntu1~23.04.1
dotnet-sdk-6.0 6.0.120-0ubuntu1~23.04.1
dotnet-sdk-7.0 7.0.109-0ubuntu1~23.04.1
dotnet6 6.0.120-0ubuntu1~23.04.1
dotnet7 7.0.109-0ubuntu1~23.04.1
Ubuntu 22.10:
aspnetcore-runtime-6.0 6.0.120-0ubuntu1~22.10.1
aspnetcore-runtime-7.0 7.0.109-0ubuntu1~22.10.1
dotnet-host 6.0.120-0ubuntu1~22.10.1
dotnet-host-7.0 7.0.109-0ubuntu1~22.10.1
dotnet-hostfxr-6.0 6.0.120-0ubuntu1~22.10.1
dotnet-hostfxr-7.0 7.0.109-0ubuntu1~22.10.1
dotnet-runtime-6.0 6.0.120-0ubuntu1~22.10.1
dotnet-runtime-7.0 7.0.109-0ubuntu1~22.10.1
dotnet-sdk-6.0 6.0.120-0ubuntu1~22.10.1
dotnet-sdk-7.0 7.0.109-0ubuntu1~22.10.1
dotnet6 6.0.120-0ubuntu1~22.10.1
dotnet7 7.0.109-0ubuntu1~22.10.1
Ubuntu 22.04 LTS:
aspnetcore-runtime-6.0 6.0.120-0ubuntu1~22.04.1
aspnetcore-runtime-7.0 7.0.109-0ubuntu1~22.04.1
dotnet-host 6.0.120-0ubuntu1~22.04.1
dotnet-host-7.0 7.0.109-0ubuntu1~22.04.1
dotnet-hostfxr-6.0 6.0.120-0ubuntu1~22.04.1
dotnet-hostfxr-7.0 7.0.109-0ubuntu1~22.04.1
dotnet-runtime-6.0 6.0.120-0ubuntu1~22.04.1
dotnet-runtime-7.0 7.0.109-0ubuntu1~22.04.1
dotnet-sdk-6.0 6.0.120-0ubuntu1~22.04.1
dotnet-sdk-7.0 7.0.109-0ubuntu1~22.04.1
dotnet6 6.0.120-0ubuntu1~22.04.1
dotnet7 7.0.109-0ubuntu1~22.04.1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6217-1
CVE-2023-33170
Package Information:
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~22.04.1
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230711/f2b64939/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20230711/f2b64939/attachment-0001.sig>
More information about the ubuntu-security-announce
mailing list