ESB-2018.2735 - [RedHat] .NET Core Runtime and SDK: Denial of service - Remote/unauthenticated 2018-09-13

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.2735
        Security Advisory for .NET Core Runtime and SDK for Red Hat
                             Enterprise Linux
                             13 September 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           .NET Core Runtime and SDK
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-8409  

Reference:         ASB-2018.0214

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2018:2684

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: .NET Core Runtime 2.1.4 and SDK 2.1.402 for Red Hat Enterprise Linux
Advisory ID:       RHSA-2018:2684-01
Product:           .NET Core on Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2018:2684
Issue date:        2018-09-12
=====================================================================

1. Summary:

Updates for rh-dotnet21 and rh-dotnet21-dotnet are now available for .NET
Core on Red Hat Enterprise Linux.

Red Hat Product Security has rated this update as having a security impact
of Low.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET Core is a managed software framework. It implements a subset of the
.NET framework APIs and several new APIs, and it includes a CLR
implementation.

A new version of .NET Core that addresses several security vulnerabilities
is now available. The updated version of the runtime is 2.1.4. The updated
version of the SDK is 2.1.402.

These versions correspond to the September 2018 security release by .NET
Core upstream projects.

Security Fix(es):

Default inclusions for applications built with .NET Core have been updated
to reference the newest versions and their security fixes.

For more information, please refer to the upstream docs:

- - - .NET Core 2.1.4: https://github.com/dotnet/core/issues/1932

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1621889 - .NET Core applications get oom killed on Kubernetes/OpenShift

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnet21-2.1-3.el7.src.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-3.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.4xx-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-3.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnet21-2.1-3.el7.src.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-3.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.4xx-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-3.el7.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnet21-2.1-3.el7.src.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.src.rpm

x86_64:
rh-dotnet21-2.1-3.el7.x86_64.rpm
rh-dotnet21-dotnet-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.4-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.4xx-2.1.402-2.el7.x86_64.rpm
rh-dotnet21-runtime-2.1-3.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2018 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBW5i8f9zjgjWX9erEAQhGXQ//eNmhcNQ2o98eFdNYxdAAXdObqAGATb25
4a216IsJ8zRw5B9ZhaJ2CSYL0eJzfgiavXzEXX4oEnawcDB0DAo221yjTQdfEr9W
yvMfaUwLOtGcAmvY5L/0ckC1cAnOkocxNOt55GnhHyifbNQCWPDTIfEeIbjyctKd
pPGfADE10b40JvBO6OIM9PnPHfa8CjplfYcshdjd5xlVKYZ3yGAbFyC7wAuawKu2
gADt+MN8bZwmjOUEu6LNLZMdKQkW+khON67ugEphmqu+uPA76ifUNqWSzRbZ+BiZ
9YIE+9pyUq4dY7VXWFiA96wULX/Tk0qvxZSSMaEoNl62aysAN7ZgrvJJd8yRmt82
C8H81nddT+peLRhzEZv4CIs4nXpXXK6qundixasbghuoCbFduoYH3sXfNVlYE0Ol
mTvEMjZXGQQpiZRhcoEQZpOmo0bY4NhxV+nqsxSmhsB8Q/yKz+QVa3qeBmXfme0u
CT18AB73H+Ir28vvnYT5E8ntgoesu+ANCHnqr2JK2XGBozLScs2FaYIMXkLtf9zJ
ey1XifyAGzHdcgH3EQ3cZUpXURyrae+aGmizmyirQs/T88Epbt8AAxynzhgHcovV
WZ7c2CPRJqR2aNIY47I62vyOF8fzlk5Ywoierj8miaEjLGQIllmFHlHfPE2cUpzd
9GzL7InjOfI=
=3w2B
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW5oJcmaOgq3Tt24GAQhG0Q//a7Eqe8E5xUZeBUhMNIcGTQ+kgJH9rBgP
CAND21YmThXEAUbDro6/duCbPNp2xwiAOom6H7b1Nv55y+MAY8J0M2W+nboWPdJy
naIoJ/iB0LpQkw6ON5aPVYZKeznazXIYA+ci1WnGytKKCQsXtvYmzTD8Jr3UD2+d
prc963xDtFTX3J/0F5QbjwMixevkhWPRTC+XEzWUrVHHrMSB/kCj53THVbKvQAP9
u0E4XG4rsdAfbImvBK0lgloJ5KiyjnNvylNqG9+XbjtqrSgBBZ9FjKi4bJbRx1E7
N5mwHbuzvzud5uLUhwXsG1N5FWY8mdFGglyXBGOJRj2Jkz+HrKghDL6oWKUcqoeZ
15+hSD9yTnGYvqnzXl8asBswaziF7aJ0MRoMWTP9My307ZeOl/HC61w2RCGoxmzI
s98R4zp+YvEzFAEX5c5HwJer6++wldV/Y2hU07MDl7HWLGBfs13uPCwMUyfrrm71
JlbVqAw/RLyhEOQzRp493TKEZkyVszz052s9PywBFVMEuf+80sP7PiqmbwZN7KaM
WdInEM8IFmHLZuBf3vpxN/9THTgmqV8hClW5ewHUFudttdBbCb3WN9XDKgDpbvia
zPkbMd97BTT2TpXDQg3eiQ75OtMQBs3Iyla/xf3tF3ACFaBrqN2FKZJhWP1ablAC
/+HnhLNm/zk=
=6s+t
-----END PGP SIGNATURE-----

« Back to bulletins