dotnet5.0-5.0.212-1.el8.ML.1

エラータID: AXSA:2022-3097:08

Release date: 
Monday, March 14, 2022 - 11:52
Subject: 
dotnet5.0-5.0.212-1.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address security vulnerabilities are now available. The updated versions are .NET SDK 5.0.212 and .NET Runtime 5.0.15.

Security Fix(es):

* dotnet: ASP.NET Denial of Service via FormPipeReader (CVE-2022-24464)
* dotnet: double parser stack buffer overrun (CVE-2022-24512)
* brotli: buffer overflow when input chunk is larger than 2GiB (CVE-2020-8927)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-8927
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
CVE-2022-24464
.NET and Visual Studio Denial of Service Vulnerability.
CVE-2022-24512
.NET and Visual Studio Remote Code Execution Vulnerability.

Solution: 

Update packages.

CVEs: 
CVE-2020-8927
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
CVE-2022-24464
.NET and Visual Studio Denial of Service Vulnerability.
CVE-2022-24512
.NET and Visual Studio Remote Code Execution Vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. dotnet5.0-5.0.212-1.el8.ML.1.src.rpm
    MD5: ab30a47cf28e0b552a1b0a50c80ad81c
    SHA-256: 98cff2b5cef7dae558560e9f44c3924c3285473be26a5e3ebe6581f988107eea
    Size: 166.68 MB

Asianux Server 8 for x86_64
  1. aspnetcore-runtime-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: af9615b022ef08a42782344832d6245e
    SHA-256: a2cab5690f32cb31a8e33b3fba9d2e8362be7112c9eca84e1d6bfe6cce07ee60
    Size: 6.54 MB
  2. aspnetcore-targeting-pack-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: 9097cd25bfa42b01a7d7d1744b9ed79e
    SHA-256: 48c1905addc0bcd2677c53b99d91d97c54dd30f6e8c2de65a4b9f1b275499b51
    Size: 1.43 MB
  3. dotnet-apphost-pack-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: 07ceae5093a50862a28f378717cf0362
    SHA-256: 2b599b959139b9a4d90d37c75c79db9042a2c3112bca1902310f0c160d5f57f9
    Size: 3.78 MB
  4. dotnet-hostfxr-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: 250af6447f8b7b092e29034dc36300d9
    SHA-256: b6edbdeba630a1848bd2b5670387fa28ed617aaba00e90d8a5e8308a5acfa358
    Size: 154.96 kB
  5. dotnet-runtime-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: bd84112c46950fc436b47d7d39e8a1c6
    SHA-256: f0d2a28c725114696fa168d2b62744d7cbee4826f63fa65fa3ae1eaa0db3758e
    Size: 26.81 MB
  6. dotnet-sdk-5.0-5.0.212-1.el8.ML.1.x86_64.rpm
    MD5: b2650eaf2cb338a91d910c470af12bae
    SHA-256: c99b2f72aad397f6589ef45b0c9be522b684e687603dc54e49c740552d9e5d30
    Size: 50.39 MB
  7. dotnet-targeting-pack-5.0-5.0.15-1.el8.ML.1.x86_64.rpm
    MD5: adc22378ace5583945692bae16de67aa
    SHA-256: e71b0fdb0cb139d7dec3efac3d22e21663cea5589205d77f3272fab1e57711bf
    Size: 2.37 MB
  8. dotnet-templates-5.0-5.0.212-1.el8.ML.1.x86_64.rpm
    MD5: 0d05fe339aba6906a02bc3490d7fb7e2
    SHA-256: e4a38ea2282ed00bd1a96eb027e50d16355e87ce61abc1b84601ee68778a2dee
    Size: 2.16 MB