dotnet3.1-3.1.417-1.el8.ML.1

エラータID: AXSA:2022-3098:04

Release date: 
Monday, March 14, 2022 - 12:43
Subject: 
dotnet3.1-3.1.417-1.el8.ML.1
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address security vulnerabilities are now available. The updated versions are .NET SDK 3.1.417 and .NET Runtime 3.1.23.

Security Fix(es):

* dotnet: ASP.NET Denial of Service via FormPipeReader (CVE-2022-24464)
* dotnet: double parser stack buffer overrun (CVE-2022-24512)
* brotli: buffer overflow when input chunk is larger than 2GiB (CVE-2020-8927)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-8927
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
CVE-2022-24464
.NET and Visual Studio Denial of Service Vulnerability.
CVE-2022-24512
.NET and Visual Studio Remote Code Execution Vulnerability.

Solution: 

Update packages.

CVEs: 
CVE-2020-8927
A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your Brotli library to 1.0.8 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
CVE-2022-24464
.NET and Visual Studio Denial of Service Vulnerability.
CVE-2022-24512
.NET and Visual Studio Remote Code Execution Vulnerability.
Additional Info: 

N/A

Download: 

SRPMS
  1. dotnet3.1-3.1.417-1.el8.ML.1.src.rpm
    MD5: e65859c003197f6b2bdce020ae1f0dc3
    SHA-256: 5c3bd5841a570d0619f000ed93b71e2b9adab62cbfe45429ba8d165c8d0904fb
    Size: 315.41 MB

Asianux Server 8 for x86_64
  1. aspnetcore-runtime-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 1603b872a5a1b546ded777854e276fe9
    SHA-256: da0edec7570d5dc2996d03846e27e6e40eeea303f8df2fa7b1e02316e833f133
    Size: 6.24 MB
  2. aspnetcore-targeting-pack-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 9c858b7e36a1a5c7a677bfe77c032085
    SHA-256: 1cf14b888c6cf95f808995d55682cfeb64fefb9787dd53f047d59b091eb48579
    Size: 1.11 MB
  3. dotnet-apphost-pack-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 1baf12ab3a124c60b245261838d911db
    SHA-256: 518b9ab347846c2693b60152cffd1d89972a845db8de0f3690a7fbb5553e3a4e
    Size: 76.14 kB
  4. dotnet-hostfxr-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 87a8f73fc8bcefe9a5a99d1ca16d69eb
    SHA-256: 0c46ddf2f99aeb5c5f6fc1cd210209bdbd6196037506deb8709c4afdf09f1609
    Size: 174.48 kB
  5. dotnet-runtime-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 42f0ed264b3f8169673577a9ce6d08c2
    SHA-256: ecce1a8eab82455758ab01ced41cef46859e4a24ec341fb759b03ee9000bc391
    Size: 27.05 MB
  6. dotnet-sdk-3.1-3.1.417-1.el8.ML.1.x86_64.rpm
    MD5: 3f5754467c176db2587290780e48cf67
    SHA-256: 864cb8c4e62efc198438c16aa39dbb3a6281c41b97a013f022cdc5d59e3af89a
    Size: 41.79 MB
  7. dotnet-targeting-pack-3.1-3.1.23-1.el8.ML.1.x86_64.rpm
    MD5: 7b1a69d47179fbdf2cc6197608ad00f2
    SHA-256: 7b4bd8ee03b31f95cbd1cc0e6bbcdd22f52e2db9b91969da31f89703229e3138
    Size: 2.02 MB
  8. dotnet-templates-3.1-3.1.417-1.el8.ML.1.x86_64.rpm
    MD5: 33027ed2aa5e5bc19ad5a04afc91a46e
    SHA-256: e7b06affccc048c5c25cb635c86aaf29a449dc0a35cf1819b38f4ae62ff806e8
    Size: 2.13 MB