USN-6634-1: .NET vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 22.04 LTS

Packages

• dotnet6 - dotNET CLI tools and runtime
• dotnet7 - dotNET CLI tools and runtime
• dotnet8 - dotNET CLI tools and runtime

Details

Brennan Conroy discovered that .NET with SignalR did not properly
handle malicious clients. An attacker could possibly use this issue
to cause a denial of service. (CVE-2024-21386)

Bahaa Naamneh discovered that .NET with OpenSSL support did not
properly parse X509 certificates. An attacker could possibly use
this issue to cause a denial of service. (CVE-2024-21404)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• aspnetcore-runtime-6.0 - 6.0.127-0ubuntu1~23.10.1
• aspnetcore-runtime-7.0 - 7.0.116-0ubuntu1~23.10.1
• aspnetcore-runtime-8.0 - 8.0.2-0ubuntu1~23.10.1
• dotnet-host - 6.0.127-0ubuntu1~23.10.1
• dotnet-host-7.0 - 7.0.116-0ubuntu1~23.10.1
• dotnet-host-8.0 - 8.0.2-0ubuntu1~23.10.1
• dotnet-hostfxr-6.0 - 6.0.127-0ubuntu1~23.10.1
• dotnet-hostfxr-7.0 - 7.0.116-0ubuntu1~23.10.1
• dotnet-hostfxr-8.0 - 8.0.2-0ubuntu1~23.10.1
• dotnet-runtime-6.0 - 6.0.127-0ubuntu1~23.10.1
• dotnet-runtime-7.0 - 7.0.116-0ubuntu1~23.10.1
• dotnet-runtime-8.0 - 8.0.2-0ubuntu1~23.10.1
• dotnet-sdk-6.0 - 6.0.127-0ubuntu1~23.10.1
• dotnet-sdk-7.0 - 7.0.116-0ubuntu1~23.10.1
• dotnet-sdk-8.0 - 8.0.102-0ubuntu1~23.10.1
• dotnet6 - 6.0.127-0ubuntu1~23.10.1
• dotnet7 - 7.0.116-0ubuntu1~23.10.1
• dotnet8 - 8.0.102-8.0.2-0ubuntu1~23.10.1

Ubuntu 22.04

• aspnetcore-runtime-6.0 - 6.0.127-0ubuntu1~22.04.1
• aspnetcore-runtime-7.0 - 7.0.116-0ubuntu1~22.04.1
• aspnetcore-runtime-8.0 - 8.0.2-0ubuntu1~22.04.1
• dotnet-host - 6.0.127-0ubuntu1~22.04.1
• dotnet-host-7.0 - 7.0.116-0ubuntu1~22.04.1
• dotnet-host-8.0 - 8.0.2-0ubuntu1~22.04.1
• dotnet-hostfxr-6.0 - 6.0.127-0ubuntu1~22.04.1
• dotnet-hostfxr-7.0 - 7.0.116-0ubuntu1~22.04.1
• dotnet-hostfxr-8.0 - 8.0.2-0ubuntu1~22.04.1
• dotnet-runtime-6.0 - 6.0.127-0ubuntu1~22.04.1
• dotnet-runtime-7.0 - 7.0.116-0ubuntu1~22.04.1
• dotnet-runtime-8.0 - 8.0.2-0ubuntu1~22.04.1
• dotnet-sdk-6.0 - 6.0.127-0ubuntu1~22.04.1
• dotnet-sdk-7.0 - 7.0.116-0ubuntu1~22.04.1
• dotnet-sdk-8.0 - 8.0.102-0ubuntu1~22.04.1
• dotnet6 - 6.0.127-0ubuntu1~22.04.1
• dotnet7 - 7.0.116-0ubuntu1~22.04.1
• dotnet8 - 8.0.102-8.0.2-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-21386
• CVE-2024-21404