Headline
RHSA-2023:0079: Red Hat Security Advisory: .NET 6.0 security, bug fix, and enhancement update
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-01-11
Updated:
2023-01-11
RHSA-2023:0079 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: .NET 6.0 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.113 and .NET Runtime 6.0.13.
The following packages have been upgraded to a later upstream version: dotnet6.0 (6.0.113). (BZ#2154458)
Security Fix(es):
- dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process (CVE-2023-21538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for x86_64 8 x86_64
- Red Hat CodeReady Linux Builder for ARM 64 8 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 8 s390x
Fixes
- BZ - 2158342 - CVE-2023-21538 dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Red Hat Enterprise Linux for x86_64 8
SRPM
dotnet6.0-6.0.113-1.el8_7.src.rpm
SHA-256: efcf0548afefb95a976a02a4e5ed9fd1402b96c43534e1a922133a49bf125007
x86_64
aspnetcore-runtime-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: 3e510cb4b03bd91a24a9fa5510d92307f6adad7c827ddccf5d352c7ec959f5ff
aspnetcore-targeting-pack-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: 1d2647c6e8a75590b0d2956c9bdd99f3de293f17ceb31d44e670491d48360f58
dotnet-apphost-pack-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: b165e5a118739796977a3011b4fa69c6b9020e0d7dec43fad2a2dd9dcd21b46a
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: e00188e96f272944fc077c4668ff0f8becff98ef4e8f948e27a8ab8159551e1f
dotnet-hostfxr-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: 556bacc0458af6497d690060325bcc99a7fd1c036814b4a899f07426120fe506
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: a3358428d0c77829aca1064764129bc78d405c2c2f8eafc049e36409eaf50b48
dotnet-runtime-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: 4f3f430032ee5ef72b5e5bfed7b4b0939676e255810107a840081c32f70c0328
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: c07d59d08464e34087c7a3226ae385e2e802f9e7c1879cb3099b084a12118d3c
dotnet-sdk-6.0-6.0.113-1.el8_7.x86_64.rpm
SHA-256: d22bbc99823854fc57e56aa8227955879a53e0802ef367c9feafa27e7a280e63
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.x86_64.rpm
SHA-256: c1ad9fea24dc5278cfc72083c3ad4e4f666e48327fd18597c8a40ccbdd229ee5
dotnet-targeting-pack-6.0-6.0.13-1.el8_7.x86_64.rpm
SHA-256: 161a80aedc6a4830b62fcdb6e12783aa9d0444488b7578b213bd52e8249f900f
dotnet-templates-6.0-6.0.113-1.el8_7.x86_64.rpm
SHA-256: feeecda41b3480434e08f123d19ae3ae32e64d4d56feab9d11addecde4b006d6
dotnet6.0-debuginfo-6.0.113-1.el8_7.x86_64.rpm
SHA-256: 841b66a41d95b825ed73e36196369bfaf36b297aae79a2f99ac08cc361ca54b1
dotnet6.0-debugsource-6.0.113-1.el8_7.x86_64.rpm
SHA-256: 79761c9a4fa65455b7ee3849c882dad0572e87771e222cdc745b99164fac07cd
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
dotnet6.0-6.0.113-1.el8_7.src.rpm
SHA-256: efcf0548afefb95a976a02a4e5ed9fd1402b96c43534e1a922133a49bf125007
s390x
aspnetcore-runtime-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: e586a904edcbe9816a9c4be9095400d0154737c1fb92380d9c8b35f35030104e
aspnetcore-targeting-pack-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: 0b19dbd54d741f6892fc3f4c7639390aae65bd72e21eeb1c834938767ba1b899
dotnet-apphost-pack-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: 1882954e145e1e5af25e2f4071c15583791d497bb86b0fa1491faa165d13805b
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: bf482ce32be57252ccdaf86b9f097bc3f704f0a5f2d64294c73c8607bdf81c5a
dotnet-hostfxr-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: c818de5d20d4651402201ed015637e99a446d0ff8a55db7c2d37d0e7063bbc57
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: 4e1516bfe896939d65b27135509e934f15d469005893adab346cf8d45eb9d43f
dotnet-runtime-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: 938ffe8b470c602cebdd737020dddab6e933104d4c1e1cfc7734688c96bbf794
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: 7c115e92d2a2b0dd4d94e374043c6c18a55dc832b414196b57b0e6a89dd7d019
dotnet-sdk-6.0-6.0.113-1.el8_7.s390x.rpm
SHA-256: 6770e2bc730ba8625d1f2daca1654125ad096796a0c4a2994b9e4f609cdee97e
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.s390x.rpm
SHA-256: f0da3b6749b24dacda6224a79a75cd5edea521875d39748128b82f36f286a475
dotnet-targeting-pack-6.0-6.0.13-1.el8_7.s390x.rpm
SHA-256: 6ff13aed447efb8503e197f6888a230bf348f1fbf28eade6f97c46a5f5a3a2b4
dotnet-templates-6.0-6.0.113-1.el8_7.s390x.rpm
SHA-256: efa18d40bd32872a7b8e55505b13b844033ee9d4599eaf5688c1337d35f50c65
dotnet6.0-debuginfo-6.0.113-1.el8_7.s390x.rpm
SHA-256: 6c88d542b7d3084784a0425e93ff985c6cd01f426588827cce4c79eb654d4784
dotnet6.0-debugsource-6.0.113-1.el8_7.s390x.rpm
SHA-256: 38de58d29019caab18864ef27046b07d71895334e3ca179b03427aeea3800ff0
Red Hat Enterprise Linux for ARM 64 8
SRPM
dotnet6.0-6.0.113-1.el8_7.src.rpm
SHA-256: efcf0548afefb95a976a02a4e5ed9fd1402b96c43534e1a922133a49bf125007
aarch64
aspnetcore-runtime-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 457b6fca6d283ed8bf2f692c32e9182a585ed4c5434bf976c266c8956dee55c5
aspnetcore-targeting-pack-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: fa9b960470c483ede72f0c7626e3c6426f5872318ebc33c5cfeac5a365e8582b
dotnet-apphost-pack-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 1c50e969c4fa5f5912dd75566e1f65f3db47efa074b7521f6efac7feb0cf0fd8
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 1070aa3e1a5f56479651f8e2160d2f26f1bcf89e181f7727df518884990ddd64
dotnet-hostfxr-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 67eab354cb4e00881c10bc9d840fd810d3e8567c9bee2ca8628d68ddcfc6bad2
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 9862b1d2ed9d4b364e169eb31839d7801e5c8e9d9c67e89bcd8383f5bffd6740
dotnet-runtime-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 8f39fd38314bd20e1ff41982592a434facfb595d1db3b6775bef41e10d456004
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: d9fe4691d6346f8cc3b71e3633594133cda27f1dcf3f1c6a26c38bac6fb5e0a3
dotnet-sdk-6.0-6.0.113-1.el8_7.aarch64.rpm
SHA-256: 33a846761d92a1733e7dd35376937b9679a1aeae159dddc289673505643596d5
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.aarch64.rpm
SHA-256: b69b69036eb9475dba849f62a87445da1bdba526dd3f29f8c2b97ffa93b8c724
dotnet-targeting-pack-6.0-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 666a4909089d56963ff54f4f713777b7cc0353da1dd18bc2a9113c9dad4070b2
dotnet-templates-6.0-6.0.113-1.el8_7.aarch64.rpm
SHA-256: 3e0480bde5c058efb61484c77a94f6ffe28e2d2ad73a192cdc234e8876c31255
dotnet6.0-debuginfo-6.0.113-1.el8_7.aarch64.rpm
SHA-256: 3d84832c73d7e0256f2b20ce9f5fb9adb3e60d84acf9f4fd8e183265e5427844
dotnet6.0-debugsource-6.0.113-1.el8_7.aarch64.rpm
SHA-256: e00cb9ed64e125af73428343ae79a659e35a5de1c0840b48b23cc07d4dff2ab9
Red Hat CodeReady Linux Builder for x86_64 8
SRPM
x86_64
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: e00188e96f272944fc077c4668ff0f8becff98ef4e8f948e27a8ab8159551e1f
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: a3358428d0c77829aca1064764129bc78d405c2c2f8eafc049e36409eaf50b48
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.x86_64.rpm
SHA-256: c07d59d08464e34087c7a3226ae385e2e802f9e7c1879cb3099b084a12118d3c
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.x86_64.rpm
SHA-256: c1ad9fea24dc5278cfc72083c3ad4e4f666e48327fd18597c8a40ccbdd229ee5
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el8_7.x86_64.rpm
SHA-256: e65811e5047d953240dbeeb0256b5d4f32948288294fbf850132706069b24509
dotnet6.0-debuginfo-6.0.113-1.el8_7.x86_64.rpm
SHA-256: 841b66a41d95b825ed73e36196369bfaf36b297aae79a2f99ac08cc361ca54b1
dotnet6.0-debugsource-6.0.113-1.el8_7.x86_64.rpm
SHA-256: 79761c9a4fa65455b7ee3849c882dad0572e87771e222cdc745b99164fac07cd
Red Hat CodeReady Linux Builder for ARM 64 8
SRPM
aarch64
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 1070aa3e1a5f56479651f8e2160d2f26f1bcf89e181f7727df518884990ddd64
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: 9862b1d2ed9d4b364e169eb31839d7801e5c8e9d9c67e89bcd8383f5bffd6740
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.aarch64.rpm
SHA-256: d9fe4691d6346f8cc3b71e3633594133cda27f1dcf3f1c6a26c38bac6fb5e0a3
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.aarch64.rpm
SHA-256: b69b69036eb9475dba849f62a87445da1bdba526dd3f29f8c2b97ffa93b8c724
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el8_7.aarch64.rpm
SHA-256: 4f2ac513c65105fa0621a7e3950710bd92480ac688a1a768cdac26bc01255156
dotnet6.0-debuginfo-6.0.113-1.el8_7.aarch64.rpm
SHA-256: 3d84832c73d7e0256f2b20ce9f5fb9adb3e60d84acf9f4fd8e183265e5427844
dotnet6.0-debugsource-6.0.113-1.el8_7.aarch64.rpm
SHA-256: e00cb9ed64e125af73428343ae79a659e35a5de1c0840b48b23cc07d4dff2ab9
Red Hat CodeReady Linux Builder for IBM z Systems 8
SRPM
s390x
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: bf482ce32be57252ccdaf86b9f097bc3f704f0a5f2d64294c73c8607bdf81c5a
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: 4e1516bfe896939d65b27135509e934f15d469005893adab346cf8d45eb9d43f
dotnet-runtime-6.0-debuginfo-6.0.13-1.el8_7.s390x.rpm
SHA-256: 7c115e92d2a2b0dd4d94e374043c6c18a55dc832b414196b57b0e6a89dd7d019
dotnet-sdk-6.0-debuginfo-6.0.113-1.el8_7.s390x.rpm
SHA-256: f0da3b6749b24dacda6224a79a75cd5edea521875d39748128b82f36f286a475
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el8_7.s390x.rpm
SHA-256: a5debdd5b5811236e6322163f90a6eba52e4f4c8a50383f73798f4841c719655
dotnet6.0-debuginfo-6.0.113-1.el8_7.s390x.rpm
SHA-256: 6c88d542b7d3084784a0425e93ff985c6cd01f426588827cce4c79eb654d4784
dotnet6.0-debugsource-6.0.113-1.el8_7.s390x.rpm
SHA-256: 38de58d29019caab18864ef27046b07d71895334e3ca179b03427aeea3800ff0
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Ubuntu Security Notice 5798-1 - Johan Gorter discovered that .NET 6 incorrectly processed certain invalid HTTP requests. An attacker could possibly use this issue to cause a denial of service condition for an exposed endpoint.
# Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/80449 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.12 or earlier. If your application uses the following package versions, en...