Ubuntu Security Notice 6629-1 - It was discovered that UltraJSON incorrectly handled certain input with a large amount of indentation. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jake Miller discovered that UltraJSON incorrectly decoded certain characters. An attacker could possibly use this issue to cause key confusion and overwrite values in dictionaries. It was discovered that UltraJSON incorrectly handled an error when reallocating a buffer for string decoding. An attacker could possibly use this issue to corrupt memory.

==========================================================================  
Ubuntu Security Notice USN-6629-1  
February 14, 2024

ujson vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)  
- Ubuntu 16.04 LTS (Available with Ubuntu Pro)

Summary:

Several security issues were fixed in UltraJSON.

Software Description:  
- ujson: ultra fast JSON encoder and decoder for Python 3

Details:

It was discovered that UltraJSON incorrectly handled certain input with  
a large amount of indentation. An attacker could possibly use this issue  
to crash the program, resulting in a denial of service. (CVE-2021-45958)

Jake Miller discovered that UltraJSON incorrectly decoded certain  
characters. An attacker could possibly use this issue to cause key  
confusion and overwrite values in dictionaries. (CVE-2022-31116)

It was discovered that UltraJSON incorrectly handled an error when  
reallocating a buffer for string decoding. An attacker could possibly  
use this issue to corrupt memory. (CVE-2022-31117)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.04 LTS (Available with Ubuntu Pro):  
   python3-ujson                   5.1.0-1ubuntu0.1~esm1

Ubuntu 18.04 LTS (Available with Ubuntu Pro):  
   python-ujson                    1.35-2ubuntu0.1~esm1  
   python3-ujson                   1.35-2ubuntu0.1~esm1

Ubuntu 16.04 LTS (Available with Ubuntu Pro):  
   python-ujson                    1.33-1ubuntu0.1~esm2  
   python3-ujson                   1.33-1ubuntu0.1~esm2

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6629-1  
   CVE-2021-45958, CVE-2022-31116, CVE-2022-31117

Ubuntu Security Notice USN-6629-1

Red Hat Security Advisory 2024-0814-03 - An update for.NET 6.0 is now available for Red Hat Enterprise Linux 7. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0814.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: .NET 6.0 security, bug fix, and enhancement updateAdvisory ID:        RHSA-2024:0814-03Product:            .NET Core on Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0814Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for .NET 6.0 is now available for Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.The following packages have been upgraded to a later upstream version: rh-dotnet60-dotnet (6.0.127). (BZ#2262321)Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0814-03

Red Hat Security Advisory 2024-0808-03 - An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0808.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet6.0 security updateAdvisory ID:        RHSA-2024:0808-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0808Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet6.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0808-03

Red Hat Security Advisory 2024-0807-03 - An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0807.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet6.0 security updateAdvisory ID:        RHSA-2024:0807-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0807Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet6.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 6.0.127 and .NET Runtime 6.0.27.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0807-03

Red Hat Security Advisory 2024-0806-03 - An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0806.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet7.0 security updateAdvisory ID:        RHSA-2024:0806-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0806Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet7.0 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0806-03

Red Hat Security Advisory 2024-0805-03 - An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9. Issues addressed include a denial of service vulnerability.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0805.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: dotnet7.0 security updateAdvisory ID:        RHSA-2024:0805-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:0805Issue date:         2024-02-14Revision:           03CVE Names:          CVE-2024-21386====================================================================Summary: An update for dotnet7.0 is now available for Red Hat Enterprise Linux 9.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.116 and .NET Runtime 7.0.16.Security Fix(es):* dotnet: Denial of Service in SignalR server (CVE-2024-21386)* dotnet: Denial of Service in X509Certificate2 (CVE-2024-21404)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-21386References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2263085https://bugzilla.redhat.com/show_bug.cgi?id=2263086

Red Hat Security Advisory 2024-0805-03

Red Hat Security Advisory 2024-0741-03 - Red Hat OpenShift Container Platform release 4.13.33 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0741.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.13.33 bug fix and security update  
Advisory ID:        RHSA-2024:0741-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0741  
Issue date:         2024-02-14  
Revision:           03  
CVE Names:          CVE-2022-3064  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.33 is now available with updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.33. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0743

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-yaml: Improve heuristics preventing CPU/memory abuse by parsing  
malicious or large YAML documents (CVE-2022-3064)  
* golang: net/http, x/net/http2: rapid stream resets can cause excessive  
work (CVE-2023-44487) (CVE-2023-39325)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* opentelemetry-go-contrib: DoS vulnerability in otelgrpc due to unbound  
cardinality metrics (CVE-2023-47108)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

CVEs:

CVE-2022-3064

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2163037  
https://bugzilla.redhat.com/show_bug.cgi?id=2243296  
https://bugzilla.redhat.com/show_bug.cgi?id=2251198  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-24661  
https://issues.redhat.com/browse/OCPBUGS-25611  
https://issues.redhat.com/browse/OCPBUGS-25805  
https://issues.redhat.com/browse/OCPBUGS-26508  
https://issues.redhat.com/browse/OCPBUGS-28205  
https://issues.redhat.com/browse/OCPBUGS-28208  
https://issues.redhat.com/browse/OCPBUGS-28777  
https://issues.redhat.com/browse/OCPBUGS-28953  
https://issues.redhat.com/browse/OCPBUGS-28958  
https://issues.redhat.com/browse/OCPBUGS-28979  
https://issues.redhat.com/browse/OCPBUGS-29151  
https://issues.redhat.com/browse/OCPBUGS-6236  
https://issues.redhat.com/browse/OCPBUGS-8343

Red Hat Security Advisory 2024-0741-03

Red Hat Security Advisory 2024-0740-03 - Red Hat OpenShift Container Platform release 4.13.33 is now available with updates to packages and images that fix several bugs. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0740.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.13.33 security and extras update  
Advisory ID:        RHSA-2024:0740-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0740  
Issue date:         2024-02-14  
Revision:           03  
CVE Names:          CVE-2023-49568  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.13.33 is now available with updates to packages and images that fix several bugs.

This release includes a security update for Red Hat OpenShift Container Platform 4.13.

Red Hat Product Security has rated this update as having a security impact of  Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.33. See the following advisory for the container images for this release:

https://access.redhat.com/errata/RHSA-2024:0741

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Solution:

https://docs.openshift.com/container-platform/4.13/release_notes/ocp-4-13-release-notes.html

CVEs:

CVE-2023-49568

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165

Red Hat Security Advisory 2024-0740-03

Red Hat Security Advisory 2024-0735-03 - Red Hat OpenShift Container Platform release 4.14.12 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include denial of service and traversal vulnerabilities.

The following advisory data is extracted from:

https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_0735.json

Red Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.

- Packet Storm Staff

====================================================================  
Red Hat Security Advisory

Synopsis:           Critical: OpenShift Container Platform 4.14.12 bug fix and security update  
Advisory ID:        RHSA-2024:0735-03  
Product:            Red Hat OpenShift Enterprise  
Advisory URL:       https://access.redhat.com/errata/RHSA-2024:0735  
Issue date:         2024-02-14  
Revision:           03  
CVE Names:          CVE-2022-21708  
====================================================================

Summary: 

Red Hat OpenShift Container Platform release 4.14.12 is now available with  
updates to packages and images that fix several bugs and add enhancements.

This release includes a security update for Red Hat OpenShift Container  
Platform 4.14.

Red Hat Product Security has rated this update as having a security impact  
of Critical. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.

This advisory contains the container images for Red Hat OpenShift Container Platform 4.14.12. See the following advisory for the RPM packages for this release:

https://access.redhat.com/errata/RHBA-2024:0738

Space precludes documenting all of the container images in this advisory. See the following Release Notes documentation, which will be updated shortly for this release, for details about these changes:

https://docs.openshift.com/container-platform/4.14/release_notes/ocp-4-14-release-notes.html

Security Fix(es):

* go-git: Maliciously crafted Git server replies can lead to path traversal  
and RCE on go-git clients (CVE-2023-49569)  
* go-git: Maliciously crafted Git server replies can cause DoS on go-git  
clients (CVE-2023-49568)  
* graphql-go: Denial of service via stack overflow panics (CVE-2022-21708)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  
All OpenShift Container Platform 4.14 users are advised to upgrade to these updated packages and images when they are available in the appropriate release channel. To check for available updates, use the OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at https://docs.openshift.com/container-platform/4.14/updating/updating_a_cluster/updating-cluster-cli.html

Solution:

CVEs:

CVE-2022-21708

References:

https://access.redhat.com/security/updates/classification/#critical  
https://bugzilla.redhat.com/show_bug.cgi?id=2045014  
https://bugzilla.redhat.com/show_bug.cgi?id=2258143  
https://bugzilla.redhat.com/show_bug.cgi?id=2258165  
https://issues.redhat.com/browse/OCPBUGS-20180  
https://issues.redhat.com/browse/OCPBUGS-20547  
https://issues.redhat.com/browse/OCPBUGS-26526  
https://issues.redhat.com/browse/OCPBUGS-26527  
https://issues.redhat.com/browse/OCPBUGS-27072  
https://issues.redhat.com/browse/OCPBUGS-27157  
https://issues.redhat.com/browse/OCPBUGS-27419  
https://issues.redhat.com/browse/OCPBUGS-27773  
https://issues.redhat.com/browse/OCPBUGS-28238  
https://issues.redhat.com/browse/OCPBUGS-28379  
https://issues.redhat.com/browse/OCPBUGS-28384  
https://issues.redhat.com/browse/OCPBUGS-28789  
https://issues.redhat.com/browse/OCPBUGS-28823  
https://issues.redhat.com/browse/OCPBUGS-28871  
https://issues.redhat.com/browse/OCPBUGS-28949  
https://issues.redhat.com/browse/OCPBUGS-28950  
https://issues.redhat.com/browse/OCPBUGS-28951  
https://issues.redhat.com/browse/OCPBUGS-28952  
https://issues.redhat.com/browse/OCPBUGS-28957  
https://issues.redhat.com/browse/OCPBUGS-29030  
https://issues.redhat.com/browse/OCPBUGS-29034  
https://issues.redhat.com/browse/OCPBUGS-7262

Red Hat Security Advisory 2024-0735-03

Ubuntu Security Notice 6634-1 - Brennan Conroy discovered that .NET with SignalR did not properly handle malicious clients. An attacker could possibly use this issue to cause a denial of service. Bahaa Naamneh discovered that .NET with OpenSSL support did not properly parse X509 certificates. An attacker could possibly use this issue to cause a denial of service.

==========================================================================  
Ubuntu Security Notice USN-6634-1  
February 13, 2024

dotnet6, dotnet7, dotnet8 vulnerabilities  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.10  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in .NET.

Software Description:  
- dotnet6: dotNET CLI tools and runtime  
- dotnet7: dotNET CLI tools and runtime  
- dotnet8: dotNET CLI tools and runtime

Details:

Brennan Conroy discovered that .NET with SignalR did not properly  
handle malicious clients. An attacker could possibly use this issue  
to cause a denial of service. (CVE-2024-21386)

Bahaa Naamneh discovered that .NET with OpenSSL support did not  
properly parse X509 certificates. An attacker could possibly use  
this issue to cause a denial of service. (CVE-2024-21404)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.10:  
   aspnetcore-runtime-6.0          6.0.127-0ubuntu1~23.10.1  
   aspnetcore-runtime-7.0          7.0.116-0ubuntu1~23.10.1  
   aspnetcore-runtime-8.0          8.0.2-0ubuntu1~23.10.1  
   dotnet-host                     6.0.127-0ubuntu1~23.10.1  
   dotnet-host-7.0                 7.0.116-0ubuntu1~23.10.1  
   dotnet-host-8.0                 8.0.2-0ubuntu1~23.10.1  
   dotnet-hostfxr-6.0              6.0.127-0ubuntu1~23.10.1  
   dotnet-hostfxr-7.0              7.0.116-0ubuntu1~23.10.1  
   dotnet-hostfxr-8.0              8.0.2-0ubuntu1~23.10.1  
   dotnet-runtime-6.0              6.0.127-0ubuntu1~23.10.1  
   dotnet-runtime-7.0              7.0.116-0ubuntu1~23.10.1  
   dotnet-runtime-8.0              8.0.2-0ubuntu1~23.10.1  
   dotnet-sdk-6.0                  6.0.127-0ubuntu1~23.10.1  
   dotnet-sdk-7.0                  7.0.116-0ubuntu1~23.10.1  
   dotnet-sdk-8.0                  8.0.102-0ubuntu1~23.10.1  
   dotnet6                         6.0.127-0ubuntu1~23.10.1  
   dotnet7                         7.0.116-0ubuntu1~23.10.1  
   dotnet8                         8.0.102-8.0.2-0ubuntu1~23.10.1

Ubuntu 22.04 LTS:  
   aspnetcore-runtime-6.0          6.0.127-0ubuntu1~22.04.1  
   aspnetcore-runtime-7.0          7.0.116-0ubuntu1~22.04.1  
   aspnetcore-runtime-8.0          8.0.2-0ubuntu1~22.04.1  
   dotnet-host                     6.0.127-0ubuntu1~22.04.1  
   dotnet-host-7.0                 7.0.116-0ubuntu1~22.04.1  
   dotnet-host-8.0                 8.0.2-0ubuntu1~22.04.1  
   dotnet-hostfxr-6.0              6.0.127-0ubuntu1~22.04.1  
   dotnet-hostfxr-7.0              7.0.116-0ubuntu1~22.04.1  
   dotnet-hostfxr-8.0              8.0.2-0ubuntu1~22.04.1  
   dotnet-runtime-6.0              6.0.127-0ubuntu1~22.04.1  
   dotnet-runtime-7.0              7.0.116-0ubuntu1~22.04.1  
   dotnet-runtime-8.0              8.0.2-0ubuntu1~22.04.1  
   dotnet-sdk-6.0                  6.0.127-0ubuntu1~22.04.1  
   dotnet-sdk-7.0                  7.0.116-0ubuntu1~22.04.1  
   dotnet-sdk-8.0                  8.0.102-0ubuntu1~22.04.1  
   dotnet6                         6.0.127-0ubuntu1~22.04.1  
   dotnet7                         7.0.116-0ubuntu1~22.04.1  
   dotnet8                         8.0.102-8.0.2-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:  
   https://ubuntu.com/security/notices/USN-6634-1  
   CVE-2024-21386, CVE-2024-21404

Package Information:  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.127-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.116-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet8/8.0.102-8.0.2-0ubuntu1~23.10.1  
https://launchpad.net/ubuntu/+source/dotnet6/6.0.127-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet7/7.0.116-0ubuntu1~22.04.1  
https://launchpad.net/ubuntu/+source/dotnet8/8.0.102-8.0.2-0ubuntu1~22.04.1

Tag

#dos