USN-6480-1: .NET vulnerabilities

Publication date

15 November 2023

Overview

Several security issues were fixed in .NET.


Packages

  • dotnet6 - dotNET CLI tools and runtime
  • dotnet7 - dotNET CLI tools and runtime
  • dotnet8 - dotNET CLI tools and runtime

Details

Barry Dorrans discovered that .NET did not properly implement certain
security features for Blazor server forms. An attacker could possibly
use this issue to bypass validation, which could trigger unintended
actions. (CVE-2023-36558)

Piotr Bazydlo discovered that .NET did not properly handle untrusted
URIs provided to System.Net.WebRequest.Create. An attacker could possibly
use this issue to inject arbitrary commands to backend FTP servers.
(CVE-2023-36049)

Barry Dorrans discovered that .NET did not properly implement certain
security features for Blazor server forms. An attacker could possibly
use this issue to bypass validation, which could trigger unintended
actions. (CVE-2023-36558)

Piotr Bazydlo discovered that .NET did not properly handle untrusted
URIs provided to System.Net.WebRequest.Create. An attacker could possibly
use this issue to inject arbitrary commands to backend FTP servers.
(CVE-2023-36049)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release Package Version
23.10 mantic aspnetcore-runtime-6.0 –  6.0.125-0ubuntu1~23.10.1
aspnetcore-runtime-7.0 –  7.0.114-0ubuntu1~23.10.1
aspnetcore-runtime-8.0 –  8.0.0-0ubuntu1~23.10.1
dotnet-host –  6.0.125-0ubuntu1~23.10.1
dotnet-host-7.0 –  7.0.114-0ubuntu1~23.10.1
dotnet-host-8.0 –  8.0.0-0ubuntu1~23.10.1
dotnet-hostfxr-6.0 –  6.0.125-0ubuntu1~23.10.1
dotnet-hostfxr-7.0 –  7.0.114-0ubuntu1~23.10.1
dotnet-hostfxr-8.0 –  8.0.0-0ubuntu1~23.10.1
dotnet-runtime-6.0 –  6.0.125-0ubuntu1~23.10.1
dotnet-runtime-7.0 –  7.0.114-0ubuntu1~23.10.1
dotnet-runtime-8.0 –  8.0.0-0ubuntu1~23.10.1
dotnet-sdk-6.0 –  6.0.125-0ubuntu1~23.10.1
dotnet-sdk-7.0 –  7.0.114-0ubuntu1~23.10.1
dotnet-sdk-8.0 –  8.0.100-0ubuntu1~23.10.1
dotnet6 –  6.0.125-0ubuntu1~23.10.1
dotnet7 –  7.0.114-0ubuntu1~23.10.1
dotnet8 –  8.0.100-8.0.0-0ubuntu1~23.10.1
23.04 lunar aspnetcore-runtime-6.0 –  6.0.125-0ubuntu1~23.04.1
aspnetcore-runtime-7.0 –  7.0.114-0ubuntu1~23.04.1
dotnet-host –  6.0.125-0ubuntu1~23.04.1
dotnet-host-7.0 –  7.0.114-0ubuntu1~23.04.1
dotnet-hostfxr-6.0 –  6.0.125-0ubuntu1~23.04.1
dotnet-hostfxr-7.0 –  7.0.114-0ubuntu1~23.04.1
dotnet-runtime-6.0 –  6.0.125-0ubuntu1~23.04.1
dotnet-runtime-7.0 –  7.0.114-0ubuntu1~23.04.1
dotnet-sdk-6.0 –  6.0.125-0ubuntu1~23.04.1
dotnet-sdk-7.0 –  7.0.114-0ubuntu1~23.04.1
dotnet6 –  6.0.125-0ubuntu1~23.04.1
dotnet7 –  7.0.114-0ubuntu1~23.04.1
22.04 jammy aspnetcore-runtime-6.0 –  6.0.125-0ubuntu1~22.04.1
aspnetcore-runtime-7.0 –  7.0.114-0ubuntu1~22.04.1
dotnet-host –  6.0.125-0ubuntu1~22.04.1
dotnet-host-7.0 –  7.0.114-0ubuntu1~22.04.1
dotnet-hostfxr-6.0 –  6.0.125-0ubuntu1~22.04.1
dotnet-hostfxr-7.0 –  7.0.114-0ubuntu1~22.04.1
dotnet-runtime-6.0 –  6.0.125-0ubuntu1~22.04.1
dotnet-runtime-7.0 –  7.0.114-0ubuntu1~22.04.1
dotnet-sdk-6.0 –  6.0.125-0ubuntu1~22.04.1
dotnet-sdk-7.0 –  7.0.114-0ubuntu1~22.04.1
dotnet6 –  6.0.125-0ubuntu1~22.04.1
dotnet7 –  7.0.114-0ubuntu1~22.04.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›