Operating System:

[RedHat]

Published:

12 August 2021

Protect yourself against future threats.

//Service

Early Warning SMS

Receive SMS notifications for the most critical security threats and vulnerabilities.

Read more
Resources > Security Bulletins > ESB-2021.2723 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2723
   .NET Core 2.1 on Red Hat Enterprise Linux security and bugfix update
                              12 August 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           .NET Core 2.1
Publisher:         Red Hat
Operating System:  Red Hat
Impact/Access:     Access Confidential Data -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-34485  

Reference:         ASB-2021.0172

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2021:3144
   https://access.redhat.com/errata/RHSA-2021:3145

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: .NET Core 2.1 on Red Hat Enterprise Linux security and bugfix update
Advisory ID:       RHSA-2021:3144-01
Product:           .NET Core on Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3144
Issue date:        2021-08-11
CVE Names:         CVE-2021-34485 
=====================================================================

1. Summary:

An update for .NET Core 2.1 is now available for .NET Core on Red Hat
Enterprise Linux.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Server (v. 7) - x86_64
.NET Core on Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the
.NET framework APIs and several new APIs, and it includes a CLR
implementation.

New versions of .NET Core that address a security vulnerability are now
available. The updated versions are .NET Core SDK  2.1.525 and .NET Core
Runtime 2.1.29.

Security Fix(es):

* dotnet: Dump file created world-readable (CVE-2021-34485)

Default inclusions for applications built with .NET Core have been updated
to reference the newest versions and their security fixes.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1990286 - CVE-2021-34485 dotnet: Dump file created world-readable

6. Package List:

.NET Core on Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
rh-dotnet21-2.1-28.el7_9.src.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.src.rpm

x86_64:
rh-dotnet21-2.1-28.el7_9.x86_64.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-runtime-2.1-28.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Server (v. 7):

Source:
rh-dotnet21-2.1-28.el7_9.src.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.src.rpm

x86_64:
rh-dotnet21-2.1-28.el7_9.x86_64.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-runtime-2.1-28.el7_9.x86_64.rpm

.NET Core on Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-dotnet21-2.1-28.el7_9.src.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.src.rpm

x86_64:
rh-dotnet21-2.1-28.el7_9.x86_64.rpm
rh-dotnet21-dotnet-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-debuginfo-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-host-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-runtime-2.1-2.1.29-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-dotnet-sdk-2.1.5xx-2.1.525-1.el7_9.x86_64.rpm
rh-dotnet21-runtime-2.1-28.el7_9.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-34485
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRQa6tzjgjWX9erEAQhpUw/+J+ct/h97dtZeh3ULDlxiCcNatnhVIYQJ
RkxfZFN/DzwIFzGXTq3w0EX8W0NiPKGZPdOiIh+kaxo3VtQbtZ0shudEClKoMm22
YhcLZVMsH9e3nHgOK9SsHiy8wB1wC2Sme7S5rAHq7YK4oZKoUtoiPJ5gPlmi60xr
Mph3mOtarGbG6TJ/HP+ZeYllSnswveqCnP/XFf2JZE0hVZCB6Euqsx0xnUQ8oRIf
jHzEf72lZjgHDxQ5n7epKcrkgKFyezdqnSJP3pGXln8BTAdJAxIKIt7YDbTyJiyN
BI8cXEbU4QhuY0Fk7/UnR9ZUzIfftUzFx6jrSz89P0bs5wfsgYg02tFpICs7ZOxC
c6n9MVgAUjz2vcdN7g2ZnVUav+RLns8enpOHzrgiYXRvkCPFFo9XeOQiROGMIoSC
MFhxAW9Z9R6qd60M8JJnyGGkaLIaFpcNviQXC5QyoiqFUUbhLpvg2KnB/qqLPcyS
vSh131Odxu7/kNJOz+Cs7ahOBGJJLske8+qHpQeuB8MCRgvCqm+1a2AYV2noBTzi
e1qm4Aj+TCLdYqVXSkogf5fKQhWWZqhZ17sSAlJmVxK8/zJWAeg7Gn4vDfTMvrM9
vhl0gTc4pABXI2CqqQ8ulnlFgbz6HO+3goDqqcMDAakQpGu4LiKZMuu+fvKOut61
yQT8DLJkIgU=
=rDt/
- -----END PGP SIGNATURE-----

- --------------------------------------------------------------------------------------------------------------------


- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: .NET Core 2.1 security and bugfix update
Advisory ID:       RHSA-2021:3145-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:3145
Issue date:        2021-08-11
CVE Names:         CVE-2021-34485 
=====================================================================

1. Summary:

An update for .NET Core 2.1 is now available for Red Hat Enterprise Linux
8.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - x86_64

3. Description:

.NET Core is a managed-software framework. It implements a subset of the
.NET framework APIs and several new APIs, and it includes a CLR
implementation.

New versions of .NET Core that address a security vulnerability are now
available. The updated versions are .NET Core SDK  2.1.525 and .NET Core
Runtime 2.1.29.

Security Fix(es):

* dotnet: Dump file created world-readable (CVE-2021-34485)

Default inclusions for applications built with .NET Core have been updated
to reference the newest versions and their security fixes.

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1990286 - CVE-2021-34485 dotnet: Dump file created world-readable

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
dotnet-2.1.525-1.el8_4.src.rpm

x86_64:
dotnet-debuginfo-2.1.525-1.el8_4.x86_64.rpm
dotnet-debugsource-2.1.525-1.el8_4.x86_64.rpm
dotnet-host-fxr-2.1-2.1.29-1.el8_4.x86_64.rpm
dotnet-host-fxr-2.1-debuginfo-2.1.29-1.el8_4.x86_64.rpm
dotnet-runtime-2.1-2.1.29-1.el8_4.x86_64.rpm
dotnet-runtime-2.1-debuginfo-2.1.29-1.el8_4.x86_64.rpm
dotnet-sdk-2.1-2.1.525-1.el8_4.x86_64.rpm
dotnet-sdk-2.1.5xx-2.1.525-1.el8_4.x86_64.rpm
dotnet-sdk-2.1.5xx-debuginfo-2.1.525-1.el8_4.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-34485
https://access.redhat.com/security/updates/classification/#low

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYRQfItzjgjWX9erEAQg6QQ//cB/aHk1DRZhp4/jdh5cCuefLXB2nDORG
dALHhLkH2foNwR7AvClwUWSfP+wQ0OMBAuMS69W7Hm9D6Op59xiRkTQT8Lh8ICXH
YNOUenqm4DWjD7WHLRyF/YSuR132/6kLRqxs5zfKCIR2YHeKcr7RrTRG1Qj3DN3q
xV9W9Mmuh+1UwrWqvwDg1Nfu18vUDzeXLTHm3Gkpy6LDKzBh1ng4Kzxv37ScplNW
Ar8Tvm8dZoBX7NsHtfrajMBIHaADC2favsLDDHqe88vrIYOq+bIbfXEa26w6PQsV
dWJiuVZtoAd/nUCb2WO5oJ2WCmHfgy6BWFvp+P/U5dvsa90s0xJKxwejl5NlW8j7
jg128D1w1H+1GA3To0VXNiS5nBHrlfAQTsnhuVpigaltfRof6IrE/grf5HmuC7PX
u1heibDlQOP6eZCKIuaFK9yklSNYpir2tPmHKJuI6kUNwMk7PdScAAVqU+in08Qx
E/2wmJebA6g5TuQwxu6xn2kiCnqeKLlUKAtyI5u5E0pFFf8xEKRpRpYt5r89TfFw
eZu/9IED6DCt9+1Z1/FNisZt9P7dD7vdPO7Q+FhE3wvDx9s6I9kF6EmvL/eDH566
EsjZUqx6/VFlanM8chmM1GyxRf8gDtzVwc6bfFhML15n2p/YrQEY6TqKPeoJ6q0A
RJPPkOonynk=
=LuHh
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYRRcjeNLKJtyKPYoAQgavw//YvPOYGK7RfSdXnHm4z2yhrl6xtuEIuvq
dL9z4AUka6xdHtdW3ZJ/wkGEMvrQTvKmUn89Rw3QCAxHFHM2Yw3IyOgY1K0kNmE8
8JSf7qT/rtanPthjK3ioPfN6R2gIPA6rOJp/SXL5IIrIg+4CwIMVYom8STOXzwC/
58vS4rWGb9tEC3cWIP9KQppUbxkS3Kt0zrQn0Lr5vDD0jkDMW2mZWzbDcrkc0Mac
4vTN5Jfq+7z1IGrP/AssKDLom4jjGfJFg/4apixNKH5m+sngaFQyTo40mtdB05FV
El/lGcemRgpsWcqLWAVhVOnxgABdh34rgjhTo7ZounU9KNcW42pI74kvGvWWVI3q
HhE5JkxWPDPZ9h+tQXQM4RMfWS6cl+JfjPjZM9RZ9O1fecpZOA/TVML1xTAggDtP
Fr0SE92MHqYApjIfaVj8HYnsIzkTCCIuH5+LkGHASF4hM6KUbPNM44Mp/SVb3Shl
A//+WsNA5R9Ye1uQw+r4izpJYurCc8YS2td9Ro5+A7PIFTOOayeJdsmj/FgPctaU
N6ZlrZCBG+2V6WT2f1La9i6m1Zo8Xn+Igpmayo/IsvJFc9VFveBLt2xHt55eNGKd
SR9XCsQNPbYTNP+MPU1aAWxWmOJJtkCU7gJ7mjSVHtyT1qjbaiS9b5EljsroUK1O
mSfD+JdVDGs=
=D6Mq
-----END PGP SIGNATURE-----