.NET 7.0 security, bug fix, and enhancement update

2023-08-3116:54:34

Rockylinux Product Errata

errata.rockylinux.org

.net 7.0

security update

rocky linux 8

cve-2023-29331

cve-2023-29337

cve-2023-32032

cve-2023-33128

cve-2023-24936

cvss score

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.01

Percentile

83.9%

JSON

An update is available for dotnet7.0.
This update affects Rocky Linux 8.
A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.

New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 7.0.107 and .NET Runtime 7.0.7.

The following packages have been upgraded to a later upstream version: dotnet7.0 (7.0.107). (BZ#2211876)

Security Fix(es):

dotnet: .NET Kestrel: Denial of Service processing X509 Certificates (CVE-2023-29331)
dotnet: vulnerability exists in NuGet where a potential race condition can lead to a symlink attack (CVE-2023-29337)
dotnet: Elevation of privilege - TarFile.ExtractToDirectory ignores extraction directory argument (CVE-2023-32032)
dotnet: Remote Code Execution - Source generators issue can lead to a crash due to unmanaged heap corruption (CVE-2023-33128)
dotnet: Bypass restrictions when deserializing a DataSet or DataTable from XML (CVE-2023-24936)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

OSVersionArchitecturePackageVersionFilename
rocky8aarch64aspnetcore-runtime-7.0< 7.0.7-1.el8_8aspnetcore-runtime-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky8x86_64aspnetcore-runtime-7.0< 7.0.7-1.el8_8aspnetcore-runtime-7.0-0:7.0.7-1.el8_8.x86_64.rpm
rocky8aarch64aspnetcore-targeting-pack-7.0< 7.0.7-1.el8_8aspnetcore-targeting-pack-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky8x86_64aspnetcore-targeting-pack-7.0< 7.0.7-1.el8_8aspnetcore-targeting-pack-7.0-0:7.0.7-1.el8_8.x86_64.rpm
rocky8aarch64dotnet< 7.0.107-1.el8_8dotnet-0:7.0.107-1.el8_8.aarch64.rpm
rocky8x86_64dotnet< 7.0.107-1.el8_8dotnet-0:7.0.107-1.el8_8.x86_64.rpm
rocky8aarch64dotnet7.0-debuginfo< 7.0.107-1.el8_8dotnet7.0-debuginfo-0:7.0.107-1.el8_8.aarch64.rpm
rocky8x86_64dotnet7.0-debuginfo< 7.0.107-1.el8_8dotnet7.0-debuginfo-0:7.0.107-1.el8_8.x86_64.rpm
rocky8aarch64dotnet-apphost-pack-7.0< 7.0.7-1.el8_8dotnet-apphost-pack-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky8x86_64dotnet-apphost-pack-7.0< 7.0.7-1.el8_8dotnet-apphost-pack-7.0-0:7.0.7-1.el8_8.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
rocky	8	aarch64	aspnetcore-runtime-7.0	< 7.0.7-1.el8_8	aspnetcore-runtime-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky	8	x86_64	aspnetcore-runtime-7.0	< 7.0.7-1.el8_8	aspnetcore-runtime-7.0-0:7.0.7-1.el8_8.x86_64.rpm
rocky	8	aarch64	aspnetcore-targeting-pack-7.0	< 7.0.7-1.el8_8	aspnetcore-targeting-pack-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky	8	x86_64	aspnetcore-targeting-pack-7.0	< 7.0.7-1.el8_8	aspnetcore-targeting-pack-7.0-0:7.0.7-1.el8_8.x86_64.rpm
rocky	8	aarch64	dotnet	< 7.0.107-1.el8_8	dotnet-0:7.0.107-1.el8_8.aarch64.rpm
rocky	8	x86_64	dotnet	< 7.0.107-1.el8_8	dotnet-0:7.0.107-1.el8_8.x86_64.rpm
rocky	8	aarch64	dotnet7.0-debuginfo	< 7.0.107-1.el8_8	dotnet7.0-debuginfo-0:7.0.107-1.el8_8.aarch64.rpm
rocky	8	x86_64	dotnet7.0-debuginfo	< 7.0.107-1.el8_8	dotnet7.0-debuginfo-0:7.0.107-1.el8_8.x86_64.rpm
rocky	8	aarch64	dotnet-apphost-pack-7.0	< 7.0.7-1.el8_8	dotnet-apphost-pack-7.0-0:7.0.7-1.el8_8.aarch64.rpm
rocky	8	x86_64	dotnet-apphost-pack-7.0	< 7.0.7-1.el8_8	dotnet-apphost-pack-7.0-0:7.0.7-1.el8_8.x86_64.rpm