<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body>
<p>==========================================================================<br>
Ubuntu Security Notice USN-6161-2<br>
June 23, 2023<br>
<br>
dotnet6, dotnet7 regression<br>
==========================================================================<br>
<br>
A security issue affects these releases of Ubuntu and its
derivatives:<br>
<br>
- Ubuntu 23.04<br>
- Ubuntu 22.10<br>
- Ubuntu 22.04 LTS<br>
<br>
Summary:<br>
<br>
USN 6161-1 introduced a regression in .NET that could incorrectly<br>
cause X.509 certificate imports to fail when they should succeed.<br>
<br>
Software Description:<br>
- dotnet6: dotNET CLI tools and runtime<br>
- dotnet7: dotNET CLI tools and runtime<br>
<br>
Details:<br>
<br>
USN-6161-1 fixed vulnerabilities in .NET. The update introduced<br>
a regression with regards to how the runtime imported X.509<br>
certificates. This update fixes the problem.<br>
<br>
We apologize for the inconvenience.<br>
<br>
Original advisory details:<br>
<br>
It was discovered that .NET did not properly enforce certain<br>
restrictions when deserializing a DataSet or DataTable from<br>
XML. An attacker could possibly use this issue to elevate their<br>
privileges. (CVE-2023-24936)<br>
<br>
Kevin Jones discovered that .NET did not properly handle the<br>
AIA fetching process for X.509 client certificates. An attacker<br>
could possibly use this issue to cause a denial of service.<br>
(CVE-2023-29331)<br>
<br>
Kalle Niemitalo discovered that the .NET package manager,<br>
NuGet, was susceptible to a potential race condition. An<br>
attacker could possibly use this issue to perform remote<br>
code execution. (CVE-2023-29337)<br>
<br>
Tom Deseyn discovered that .NET did not properly process certain<br>
arguments when extracting the contents of a tar file. An attacker<br>
could possibly use this issue to elevate their privileges. This<br>
issue only affected the dotnet7 package. (CVE-2023-32032)<br>
<br>
It was discovered that .NET did not properly handle memory in<br>
certain circumstances. An attacker could possibly use this issue<br>
to cause a denial of service or perform remote code execution.<br>
(CVE-2023-33128)<br>
<br>
Update instructions:<br>
<br>
The problem can be corrected by updating your system to the
following<br>
package versions:<br>
Ubuntu 23.04:<br>
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~23.04.1<br>
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~23.04.1<br>
dotnet-host 6.0.118-0ubuntu1~23.04.1<br>
dotnet-host-7.0 7.0.107-0ubuntu1~23.04.1<br>
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~23.04.1<br>
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~23.04.1<br>
dotnet-runtime-6.0 6.0.118-0ubuntu1~23.04.1<br>
dotnet-runtime-7.0 7.0.107-0ubuntu1~23.04.1<br>
dotnet-sdk-6.0 6.0.118-0ubuntu1~23.04.1<br>
dotnet-sdk-7.0 7.0.107-0ubuntu1~23.04.1<br>
dotnet6
6.0.118-0ubuntu1~23.04.1<br>
dotnet7
7.0.107-0ubuntu1~23.04.1<br>
<br>
Ubuntu 22.10:<br>
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~22.10.1<br>
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~22.10.1<br>
dotnet-host
6.0.118-0ubuntu1~22.10.1<br>
dotnet-host-7.0 7.0.107-0ubuntu1~22.10.1<br>
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~22.10.1<br>
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~22.10.1<br>
dotnet-runtime-6.0 6.0.118-0ubuntu1~22.10.1<br>
dotnet-runtime-7.0 7.0.107-0ubuntu1~22.10.1<br>
dotnet-sdk-6.0 6.0.118-0ubuntu1~22.10.1<br>
dotnet-sdk-7.0 7.0.107-0ubuntu1~22.10.1<br>
dotnet6
6.0.118-0ubuntu1~22.10.1<br>
dotnet7
7.0.107-0ubuntu1~22.10.1<br>
<br>
Ubuntu 22.04 LTS:<br>
aspnetcore-runtime-6.0 6.0.118-0ubuntu1~22.04.1<br>
aspnetcore-runtime-7.0 7.0.107-0ubuntu1~22.04.1<br>
dotnet-host
6.0.118-0ubuntu1~22.04.1<br>
dotnet-host-7.0 7.0.107-0ubuntu1~22.04.1<br>
dotnet-hostfxr-6.0 6.0.118-0ubuntu1~22.04.1<br>
dotnet-hostfxr-7.0 7.0.107-0ubuntu1~22.04.1<br>
dotnet-runtime-6.0 6.0.118-0ubuntu1~22.04.1<br>
dotnet-runtime-7.0 7.0.107-0ubuntu1~22.04.1<br>
dotnet-sdk-6.0 6.0.118-0ubuntu1~22.04.1<br>
dotnet-sdk-7.0 7.0.107-0ubuntu1~22.04.1<br>
dotnet6
6.0.118-0ubuntu1~22.04.1<br>
dotnet7
7.0.107-0ubuntu1~22.04.1<span class="sewbfl4ozhvgvt"></span><span
class="sewbfl4ozhvgvt"></span><br>
<br>
In general, a standard system update will make all the necessary
changes.<br>
<br>
References:<br>
<a class="moz-txt-link-freetext" href="https://ubuntu.com/security/notices/USN-6161-2">https://ubuntu.com/security/notices/USN-6161-2</a><br>
<a class="moz-txt-link-freetext" href="https://ubuntu.com/security/notices/USN-6161-1">https://ubuntu.com/security/notices/USN-6161-1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/bugs/2024893">https://launchpad.net/bugs/2024893</a>,
<a class="moz-txt-link-freetext" href="https://launchpad.net/bugs/2024894">https://launchpad.net/bugs/2024894</a><br>
<br>
Package Information:<br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~23.04.1">https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~23.04.1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~23.04.1">https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~23.04.1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.10.1">https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.10.1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.10.1">https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.10.1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.04.1">https://launchpad.net/ubuntu/+source/dotnet6/6.0.119-0ubuntu1~22.04.1</a><br>
<a class="moz-txt-link-freetext" href="https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.04.1">https://launchpad.net/ubuntu/+source/dotnet7/7.0.108-0ubuntu1~22.04.1</a></p>
</body>
</html>