Headline
RHSA-2023:0077: Red Hat Security Advisory: .NET 6.0 security, bug fix, and enhancement update
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- OpenShift Dev Spaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-01-11
Updated:
2023-01-11
RHSA-2023:0077 - Security Advisory
- Overview
- Updated Packages
Synopsis
Moderate: .NET 6.0 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Moderate
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.113 and .NET Runtime 6.0.13.
The following packages have been upgraded to a later upstream version: dotnet6.0 (6.0.113). (BZ#2154459)
Security Fix(es):
- dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process (CVE-2023-21538)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for x86_64 9 x86_64
- Red Hat CodeReady Linux Builder for ARM 64 9 aarch64
- Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x
Fixes
- BZ - 2158342 - CVE-2023-21538 dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Red Hat Enterprise Linux for x86_64 9
SRPM
dotnet6.0-6.0.113-1.el9_1.src.rpm
SHA-256: da3b0275af90cf88c6bb8f94d8bebbe5fa18dccaa519819ac3a2c96098d01765
x86_64
aspnetcore-runtime-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 67d974896ef71174b150b418aa9e62d055edb3a08940a6051c6fc95d16313a9e
aspnetcore-targeting-pack-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: ec225b6bb6541713f98bd4abc10be7a757358cbac7e87fe601f6132356ed5a43
dotnet-apphost-pack-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 10f5f267279e23ac71918291caf8d6eb1a8629b1aa9bd98805846553171c1954
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: ea890854e4317fc9a8c6d430dcf290514581aefe23fe012b7e67673c804683f2
dotnet-hostfxr-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 2094d16daeeb9d7cdb37b63fb2c33f415f699903476b8915b43ab9983b8f6421
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: de472d6ac2bfab03067690ba58079608da79e99811e2c79d482aa9f10192b65e
dotnet-runtime-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 7b749df8f2d4b1ed2ef0e27e9d7d93db025e0d6a12b98bbcaedea523154b6512
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 3249560e4e093a79b52af835c7e339e2005e71096ff5c288c6a951d759c71133
dotnet-sdk-6.0-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 498b82e2e56dccdd93e3b3afcd908660056efce329d90045b319a94f23d61c03
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 04103a379680de283db2c2a82994fc889c90acb2c223b4689d9d45ac65cf6ef5
dotnet-targeting-pack-6.0-6.0.13-1.el9_1.x86_64.rpm
SHA-256: b1c216c53f82d88190e55e6e9dccac30b71c28caefd364c3fdabe17ea7ea5f8d
dotnet-templates-6.0-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 415da0ed6b0d829d951198f54573351c19c5dc450059de4c9a4f17dbb3306f8b
dotnet6.0-debuginfo-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 4acf0731574b1ed935665a86132e4202e02e1dcc00acb8f392716be2d3ea1763
dotnet6.0-debugsource-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 55a13d5cf186e97179b61670c885feeff79e12e234bbca2472378181182fd3a0
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
dotnet6.0-6.0.113-1.el9_1.src.rpm
SHA-256: da3b0275af90cf88c6bb8f94d8bebbe5fa18dccaa519819ac3a2c96098d01765
s390x
aspnetcore-runtime-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: 5af58ad16c6086f64f93e9cab5339bf51007c88efe02cbfafb27fcdf24387f20
aspnetcore-targeting-pack-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: 2bd392fe80a2310543d5dba1a15be886c2b891bffb9a818185085f9bf53a6178
dotnet-apphost-pack-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: 4666e33bacd351bdff1e944b657067140fb144f19e3d7166e2d7bd4e3a84ddf6
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: dde5f34694d5435c3e4ae0d2ad1d4e93c9683c3bfb959b73838084b54bcb3453
dotnet-hostfxr-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: e628294a45a7c7d09554234948836d59ab4f3a4b715a11bec6a3213e377c2529
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: 6cf2a0b55fcbd14375321f3be2de45466818592bfe56257c0dae501a88feac22
dotnet-runtime-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: 20b0ddfb176dad3ab14d592e622669b68afa593a7df96b366272f3694a36a732
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: 76d9819a963399631c3c3d247e94737b27d58c69b3631c2323120f4030a24eb4
dotnet-sdk-6.0-6.0.113-1.el9_1.s390x.rpm
SHA-256: 666eeb2378daae4405bf36d70750c52b6ef6e369e739283cd617182de4f80dc2
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.s390x.rpm
SHA-256: 783c28269574fde980b756712ce18b01a09237e1cc417c63d52142aa11350b8e
dotnet-targeting-pack-6.0-6.0.13-1.el9_1.s390x.rpm
SHA-256: 77294b851602dc75fef00680d6dcd8bacbde23f5c918940d3b9b5d9be01c10b3
dotnet-templates-6.0-6.0.113-1.el9_1.s390x.rpm
SHA-256: 67e8fb53cb651853048d669edd62ab6c6adc08ed9a21bf57c57760a8268c1573
dotnet6.0-debuginfo-6.0.113-1.el9_1.s390x.rpm
SHA-256: 44314fd08f48bd690f5f16c712aaebfc02a5e8248ea3c9bc638cc4f0a90af112
dotnet6.0-debugsource-6.0.113-1.el9_1.s390x.rpm
SHA-256: 2772b3ad8ca9661fa77bcba925135b54586385c14008b810059cd1cd3b43aaf4
Red Hat Enterprise Linux for ARM 64 9
SRPM
dotnet6.0-6.0.113-1.el9_1.src.rpm
SHA-256: da3b0275af90cf88c6bb8f94d8bebbe5fa18dccaa519819ac3a2c96098d01765
aarch64
aspnetcore-runtime-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 4b5abd50938561aeb66baa19776ee7323337f2c740bc852e7f05e5fcf5d614e0
aspnetcore-targeting-pack-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: d7f8b7c1db50344022ce9bc51c8be1072c38367297f58c3e2fafd256386bc936
dotnet-apphost-pack-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 17626442581fef97f10a3825d8cd1ee10eb32f56e597cd25f6e4339d4516190e
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 772c646ececfc247b4acf9484ca7d7ddb200bc1af76236d8c0427de2ca5f3085
dotnet-hostfxr-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 29ede5815c50db96448db6c939cd5d0e396826f1e9ff3a58d4c2df7f2f591072
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: e0598e20eb5685bebe3d28025ecf3f465daeaf7661bf0ddcefa226876c0b4c52
dotnet-runtime-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 109cedb2c657768668324586611788a1817ae82ebc05174b0fa74a269f1d30b3
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 3d6cdbc8f5ff1421e7398c54c3ec34a88cb148c54309f8da142245fdf03593f2
dotnet-sdk-6.0-6.0.113-1.el9_1.aarch64.rpm
SHA-256: 9a68fdcbcaa70f9fd9659d933e8d22acbbbd9d3eec8ef6b798f94c21d4245db1
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.aarch64.rpm
SHA-256: cce3f336a4e22dd6b6383723ee83b5c9231c4c7f76292cc3eaa297f56e95e0d3
dotnet-targeting-pack-6.0-6.0.13-1.el9_1.aarch64.rpm
SHA-256: c66338601170d68f86326168b13e5f21ac7a128650c0fc1edda6d4523e01ff4a
dotnet-templates-6.0-6.0.113-1.el9_1.aarch64.rpm
SHA-256: 5da33d20ee1e9bfea76a4657e07ed4a1ec4c65335c1590d6c844baaed0385353
dotnet6.0-debuginfo-6.0.113-1.el9_1.aarch64.rpm
SHA-256: abba2dcc9c64e38eb9ee2c9cb2005b113c34cb9c404607755ab2dda86ac48c2a
dotnet6.0-debugsource-6.0.113-1.el9_1.aarch64.rpm
SHA-256: 6a81cced631117258aa9d66209c5c8d9cd337079b2fd0672e7e38b87c8404ef0
Red Hat CodeReady Linux Builder for x86_64 9
SRPM
x86_64
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: ea890854e4317fc9a8c6d430dcf290514581aefe23fe012b7e67673c804683f2
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: de472d6ac2bfab03067690ba58079608da79e99811e2c79d482aa9f10192b65e
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.x86_64.rpm
SHA-256: 3249560e4e093a79b52af835c7e339e2005e71096ff5c288c6a951d759c71133
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 04103a379680de283db2c2a82994fc889c90acb2c223b4689d9d45ac65cf6ef5
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 1420fe9e6947f82932d6d1dd7ce5eb080ed72fe1a91f5c5e355d18ea95c211e4
dotnet6.0-debuginfo-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 4acf0731574b1ed935665a86132e4202e02e1dcc00acb8f392716be2d3ea1763
dotnet6.0-debugsource-6.0.113-1.el9_1.x86_64.rpm
SHA-256: 55a13d5cf186e97179b61670c885feeff79e12e234bbca2472378181182fd3a0
Red Hat CodeReady Linux Builder for ARM 64 9
SRPM
aarch64
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 772c646ececfc247b4acf9484ca7d7ddb200bc1af76236d8c0427de2ca5f3085
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: e0598e20eb5685bebe3d28025ecf3f465daeaf7661bf0ddcefa226876c0b4c52
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.aarch64.rpm
SHA-256: 3d6cdbc8f5ff1421e7398c54c3ec34a88cb148c54309f8da142245fdf03593f2
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.aarch64.rpm
SHA-256: cce3f336a4e22dd6b6383723ee83b5c9231c4c7f76292cc3eaa297f56e95e0d3
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el9_1.aarch64.rpm
SHA-256: 20184d13c37febabe8850ca77474ef07c81fe0d11432f1e17d1b5c61bfb6c128
dotnet6.0-debuginfo-6.0.113-1.el9_1.aarch64.rpm
SHA-256: abba2dcc9c64e38eb9ee2c9cb2005b113c34cb9c404607755ab2dda86ac48c2a
dotnet6.0-debugsource-6.0.113-1.el9_1.aarch64.rpm
SHA-256: 6a81cced631117258aa9d66209c5c8d9cd337079b2fd0672e7e38b87c8404ef0
Red Hat CodeReady Linux Builder for IBM z Systems 9
SRPM
s390x
dotnet-apphost-pack-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: dde5f34694d5435c3e4ae0d2ad1d4e93c9683c3bfb959b73838084b54bcb3453
dotnet-hostfxr-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: 6cf2a0b55fcbd14375321f3be2de45466818592bfe56257c0dae501a88feac22
dotnet-runtime-6.0-debuginfo-6.0.13-1.el9_1.s390x.rpm
SHA-256: 76d9819a963399631c3c3d247e94737b27d58c69b3631c2323120f4030a24eb4
dotnet-sdk-6.0-debuginfo-6.0.113-1.el9_1.s390x.rpm
SHA-256: 783c28269574fde980b756712ce18b01a09237e1cc417c63d52142aa11350b8e
dotnet-sdk-6.0-source-built-artifacts-6.0.113-1.el9_1.s390x.rpm
SHA-256: 0dc511575bb1ad174456a75360deed5c3899bce49ab36c2a62775a7985591cd8
dotnet6.0-debuginfo-6.0.113-1.el9_1.s390x.rpm
SHA-256: 44314fd08f48bd690f5f16c712aaebfc02a5e8248ea3c9bc638cc4f0a90af112
dotnet6.0-debugsource-6.0.113-1.el9_1.s390x.rpm
SHA-256: 2772b3ad8ca9661fa77bcba925135b54586385c14008b810059cd1cd3b43aaf4
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-21538: dotnet: Parsing an empty HTTP response as a JSON.NET JObject causes a stack overflow and crashes a process
Ubuntu Security Notice 5798-1 - Johan Gorter discovered that .NET 6 incorrectly processed certain invalid HTTP requests. An attacker could possibly use this issue to cause a denial of service condition for an exposed endpoint.
# Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/80449 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.12 or earlier. If your application uses the following package versions, en...