Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#69317 - [dotnet-core] [Security] denial of service (CVE-2021-1723)
Attached to Project:
Community Packages
Opened by Jonas Witschel (diabonas) - Wednesday, 13 January 2021, 21:49 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 17 March 2021, 07:52 GMT
Opened by Jonas Witschel (diabonas) - Wednesday, 13 January 2021, 21:49 GMT
Last edited by Maxime Gauduin (Alucryd) - Wednesday, 17 March 2021, 07:52 GMT
|
DetailsSummary
======= The packages dotnet-runtime and dotnet-sdk are vulnerable to denial of service via CVE-2021-1723. Guidance ======== Upgrading to the latest version 3.1.11 of dotnet-core fixes the issue. References ========== https://security.archlinux.org/AVG-1449 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1723 https://github.com/dotnet/announcements/issues/170 https://github.com/dotnet/aspnetcore/commit/20ad9fa5dcde635c13c6c83806c4701d5b7ec21e |
This task depends upon
Closed by Maxime Gauduin (Alucryd)
Wednesday, 17 March 2021, 07:52 GMT
Reason for closing: Fixed
Additional comments about closing: 5.0.4.sdk104
Wednesday, 17 March 2021, 07:52 GMT
Reason for closing: Fixed
Additional comments about closing: 5.0.4.sdk104
Comment by Jonas Witschel (diabonas) -
Tuesday, 09 February 2021, 18:27 GMT
Two more issues have been found (CVE-2021-1721 and CVE-2021-24112), one of the could lead to arbitrary code execution. Please update dotnet to version 3.1.12 (https://github.com/dotnet/core/blob/master/release-notes/3.1/3.1.12/3.1.12.md) to fix these issues.
Comment by Jonas Witschel (diabonas) -
Tuesday, 09 March 2021, 18:11 GMT
And yet another one (CVE-2021-26701), please update dotnet to version 3.1.13 (https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.13/3.1.13.md).
Comment by Jonas Witschel (diabonas) -
Tuesday, 16 March 2021, 11:10 GMT
CVE-2021-1723, CVE-2021-1721 and CVE-2021-24112 have been fixed by the recent update to dotnet 5.0.3.sdk103. However, the package is still vulnerable to the latest issue CVE-2021-26701. Please update to version 5.0.4 / SDK 5.0.104 to fix the issue, see https://github.com/dotnet/announcements/issues/178