Security
Headlines
HeadlinesLatestCVEs

Headline

Ubuntu Security Notice USN-6427-2

Ubuntu Security Notice 6427-2 - USN-6427-1 fixed a vulnerability in .NET. This update provides the corresponding update for .NET 8. It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly use this issue to cause a denial of service.

Packet Storm
#vulnerability#web#ubuntu#dos#perl

==========================================================================
Ubuntu Security Notice USN-6427-2
October 19, 2023

dotnet8 vulnerability

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 23.10

Summary:

.NET could be made to crash if it received specially crafted network
traffic.

Software Description:

  • dotnet8: .NET CLI tools and runtime

Details:

USN-6427-1 fixed a vulnerability in .NET. This update
provides the corresponding update for .NET 8.

Original advisory details:

It was discovered that the .NET Kestrel web server did not properly
handle
HTTP/2 requests. A remote attacker could possibly use this issue to
cause a denial of service.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.10:
aspnetcore-runtime-8.0 8.0.0~rc2-0ubuntu1
dotnet-host-8.0 8.0.0~rc2-0ubuntu1
dotnet-hostfxr-8.0 8.0.0~rc2-0ubuntu1
dotnet-runtime-8.0 8.0.0~rc2-0ubuntu1
dotnet-sdk-8.0 8.0.100~rc2-0ubuntu1
dotnet8 8.0.100-8.0.0~rc2-0ubuntu1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6427-2
https://ubuntu.com/security/notices/USN-6427-1
CVE-2023-44487

Package Information:
https://launchpad.net/ubuntu/+source/dotnet8/8.0.100-8.0.0~rc2-0ubuntu1

Related news

Ubuntu Security Notice USN-6754-1

Ubuntu Security Notice 6754-1 - It was discovered that nghttp2 incorrectly handled the HTTP/2 implementation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that nghttp2 incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause nghttp2 to consume resources, leading to a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.

Red Hat Security Advisory 2024-0777-03

Red Hat Security Advisory 2024-0777-03 - An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.14. Issues addressed include bypass, code execution, cross site request forgery, cross site scripting, denial of service, information leakage, and open redirection vulnerabilities.

Ubuntu Security Notice USN-6574-1

Ubuntu Security Notice 6574-1 - Takeshi Kaneko discovered that Go did not properly handle comments and special tags in the script context of html/template module. An attacker could possibly use this issue to inject Javascript code and perform a cross site scripting attack. This issue only affected Go 1.20 in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. It was discovered that Go did not properly validate the "//go:cgo_" directives during compilation. An attacker could possibly use this issue to inject arbitrary code during compile time.

Red Hat Security Advisory 2023-7703-03

Red Hat Security Advisory 2023-7703-03 - Red Hat OpenShift Pipelines 1.10.6 has been released. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7699-03

Red Hat Security Advisory 2023-7699-03 - Red Hat OpenShift Pipelines Client tkn for 1.10.6 has been released. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7481-01

Red Hat Security Advisory 2023-7481-01 - Red Hat OpenShift Container Platform release 4.11.54 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7335-01

Red Hat Security Advisory 2023-7335-01 - An update is now available for Red Hat Process Automation Manager including images for Red Hat OpenShift Container Platform. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6251-01

Red Hat Security Advisory 2023-6251-01 - Red Hat OpenShift Virtualization release 4.11.7 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6217-01

Red Hat Security Advisory 2023-6217-01 - Red Hat OpenShift Container Platform low-latency extras release 4.14, which provides an update for cnf-tests-container, dpdk-base-container, NUMA-aware secondary scheduler and numaresources-operator is now available. Issues addressed include a denial of service vulnerability.

October 2023: back to Positive Technologies, Vulristics updates, Linux Patch Wednesday, Microsoft Patch Tuesday, PhysTech VM lecture

Hello everyone! October was an interesting and busy month for me. I started a new job, worked on my open source Vulristics project, and analyzed vulnerabilities using it. Especially Linux vulnerabilities as part of my new Linux Patch Wednesday project. And, of course, analyzed Microsoft Patch Tuesday as well. In addition, at the end of […]

Red Hat Security Advisory 2023-6161-01

Red Hat Security Advisory 2023-6161-01 - The Migration Toolkit for Containers 1.7.14 is now available. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5896-01

Red Hat Security Advisory 2023-5896-01 - Red Hat OpenShift Container Platform release 4.12.40 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-6071-01

Red Hat Security Advisory 2023-6071-01 - Updated images are now available for Red Hat Advanced Cluster Security. The updated image includes new features and bug fixes. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5976-01

Red Hat Security Advisory 2023-5976-01 - An update is now available for Service Telemetry Framework 1.5.2. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5964-01

Red Hat Security Advisory 2023-5964-01 - An update for collectd-libpod-stats is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5935-01

Red Hat Security Advisory 2023-5935-01 - An update for osp-director-agent-container, osp-director-downloader-container, osp-director-operator-bundle-container, and osp-director-operator-container is now available for Red Hat OpenStack Platform 16.2.5. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5837-01

Red Hat Security Advisory 2023-5837-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5705-01

Red Hat Security Advisory 2023-5705-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5522-3

Debian Linux Security Advisory 5522-3 - A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early.

Red Hat Security Advisory 2023-5780-01

Red Hat Security Advisory 2023-5780-01 - A security update for Camel Extensions for Quarkus 2.13.3 is now available. The purpose of this text-only erratum is to inform you about the security issues fixed. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5768-01

Red Hat Security Advisory 2023-5768-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5767-01

Red Hat Security Advisory 2023-5767-01 - nghttp2 contains the Hypertext Transfer Protocol version 2 client, server, and proxy programs as well as a library implementing the HTTP/2 protocol in C. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-5708-01

Red Hat Security Advisory 2023-5708-01 - .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET 6.0 to SDK 6.0.123 and Runtime 6.0.23. Issues addressed include a denial of service vulnerability.

Microsoft Releases October 2023 Patches for 103 Flaws, Including 2 Active Exploits

Microsoft has released its Patch Tuesday updates for October 2023, addressing a total of 103 flaws in its software, two of which have come under active exploitation in the wild. Of the 103 flaws, 13 are rated Critical and 90 are rated Important in severity. This is apart from 18 security vulnerabilities addressed in its Chromium-based Edge browser since the second Tuesday of September. The two

Internet-Wide Zero-Day Bug Fuels Largest-Ever DDoS Event

Ongoing Rapid Reset DDoS flood attacks exposed organizations need to patch CVE-2023-44487 immediately to head off crippling outages and business disruption.

CVE-2023-44487: CVE-2023-44487 - HTTP/2 Rapid Reset Attack

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Microsoft Response to Distributed Denial of Service (DDoS) Attacks against HTTP/2

Summary Summary Beginning in September 2023, Microsoft was notified by industry partners about a newly identified Distributed Denial-of-Service (DDoS) attack technique being used in the wild targeting HTTP/2 protocol. This vulnerability (CVE-2023-44487) impacts any internet exposed HTTP/2 endpoints. As an industry leader, Microsoft promptly opened an investigation and subsequently began working with industry partners for a coordinated disclosure and mitigation plan.

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution