USN-7058-1: .NET vulnerabilities

Releases

• Ubuntu 24.04 LTS
• Ubuntu 22.04 LTS

Packages

• dotnet6 - .NET CLI tools and runtime
• dotnet8 - .NET CLI tools and runtime

Details

Brennan Conroy discovered that the .NET Kestrel web server did not
properly handle closing HTTP/3 streams under certain circumstances. An
attacker could possibly use this issue to achieve remote code execution.
This vulnerability only impacted .NET8. (CVE-2024-38229)

It was discovered that .NET components designed to process malicious input
were susceptible to hash flooding attacks. An attacker could possibly use
this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43483)

It was discovered that the .NET System.IO.Packaging namespace did not
properly process SortedList data structures. An attacker could possibly
use this issue to cause a denial of service, resulting in a crash.
(CVE-2024-43484)

It was discovered that .NET did not properly handle the deserialization of
of certain JSON properties. An attacker could possibly use this issue to
cause a denial of service, resulting in a crash. (CVE-2024-43485)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 24.04

• aspnetcore-runtime-8.0 - 8.0.10-0ubuntu1~24.04.1
• dotnet-host-8.0 - 8.0.10-0ubuntu1~24.04.1
• dotnet-hostfxr-8.0 - 8.0.10-0ubuntu1~24.04.1
• dotnet-runtime-8.0 - 8.0.10-0ubuntu1~24.04.1
• dotnet-sdk-8.0 - 8.0.110-0ubuntu1~24.04.1
• dotnet8 - 8.0.110-8.0.10-0ubuntu1~24.04.1

Ubuntu 22.04

• aspnetcore-runtime-6.0 - 6.0.135-0ubuntu1~22.04.1
• aspnetcore-runtime-8.0 - 8.0.10-0ubuntu1~22.04.1
• dotnet-host - 6.0.135-0ubuntu1~22.04.1
• dotnet-host-8.0 - 8.0.10-0ubuntu1~22.04.1
• dotnet-hostfxr-6.0 - 6.0.135-0ubuntu1~22.04.1
• dotnet-hostfxr-8.0 - 8.0.10-0ubuntu1~22.04.1
• dotnet-runtime-6.0 - 6.0.135-0ubuntu1~22.04.1
• dotnet-runtime-8.0 - 8.0.10-0ubuntu1~22.04.1
• dotnet-sdk-6.0 - 6.0.135-0ubuntu1~22.04.1
• dotnet-sdk-8.0 - 8.0.110-0ubuntu1~22.04.1
• dotnet6 - 6.0.135-0ubuntu1~22.04.1
• dotnet8 - 8.0.110-8.0.10-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References

• CVE-2024-43485
• CVE-2024-38229
• CVE-2024-43483
• CVE-2024-43484