[ubuntu/mantic-proposed] dotnet7 7.0.110-0ubuntu1 (Accepted)

Ian Constantin ian.constantin at canonical.com
Wed Aug 9 00:56:07 UTC 2023 

dotnet7 (7.0.110-0ubuntu1) mantic; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks.

Date: Thu, 03 Aug 2023 08:15:06 +0300
Changed-By: Ian Constantin <ian.constantin at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Alex Murray <alex.murray at canonical.com>
https://launchpad.net/ubuntu/+source/dotnet7/7.0.110-0ubuntu1
-------------- next part --------------
Format: 1.8
Date: Thu, 03 Aug 2023 08:15:06 +0300
Source: dotnet7
Built-For-Profiles: noudeb
Architecture: source
Version: 7.0.110-0ubuntu1
Distribution: mantic
Urgency: medium
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Ian Constantin <ian.constantin at canonical.com>
Changes:
 dotnet7 (7.0.110-0ubuntu1) mantic; urgency=medium
 .
   * New upstream release.
   * SECURITY UPDATE: remote code exection
     - CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
       add), dotnet attempts to locate and initiate a new process using
       cmd.exe. However, it prioritizes searching for cmd.exe in the current
       working directory (CWD) before checking other locations. This can
       potentially lead to the execution of malicious code.
   * SECURITY UPDATE: denial of service
     - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
       leak. A malicious QUIC client, that fires off many unidirectional
       streams with closed writing sides. This will bypass the HTTP/3 stream
       limit and Kestrel cannot keep up with stream processing.
   * SECURITY UPDATE: denial of service
     - CVE-2023-38180: Kestrel vulnerability to slow read attacks.
Checksums-Sha1:
 24bd065ee7a28ce958c18baa73fe32adec412454 2690 dotnet7_7.0.110-0ubuntu1.dsc
 393b3033b9b148d0dd0e97ec0303e084f00415d3 343259848 dotnet7_7.0.110.orig.tar.xz
 cc309717a8331cd57d05a5212d001f298cb7cf97 46600 dotnet7_7.0.110-0ubuntu1.debian.tar.xz
 208edfe9b8ac1b45955630970ca077201ba81345 9087 dotnet7_7.0.110-0ubuntu1_source.buildinfo
Checksums-Sha256:
 d236b1ad8a0ec8beceaa81fc901297f79c50a38db185b29747b0bae4239c639e 2690 dotnet7_7.0.110-0ubuntu1.dsc
 d9b4e32f4caffde1f53980b088f346857d33f833dac107e771fc592567f5c43e 343259848 dotnet7_7.0.110.orig.tar.xz
 636dec1886622809439e2c1467cb777ed7d6e3f29b4fced2094b8621158c7d52 46600 dotnet7_7.0.110-0ubuntu1.debian.tar.xz
 9219dffd9f595e8941182d0b0c19f96fa2fa9c7833fe1e7469530ff2f3e0da99 9087 dotnet7_7.0.110-0ubuntu1_source.buildinfo
Files:
 76c9c43936121235477e32eb0d420028 2690 devel optional dotnet7_7.0.110-0ubuntu1.dsc
 aa2d04c5ffec0399696027e16ecb42ee 343259848 devel optional dotnet7_7.0.110.orig.tar.xz
 43b82dc8c6a5379a4a588733dea8e5d8 46600 devel optional dotnet7_7.0.110-0ubuntu1.debian.tar.xz
 ea0f8c5835f6d09892d778777f40fa4c 9087 devel optional dotnet7_7.0.110-0ubuntu1_source.buildinfo

More information about the mantic-changes mailing list