Ubuntu 6586 Published by

A .NET security update has been released for Ubuntu Linux 22.04 LTS, 22.10, and 23.04.



[USN-6217-1] .NET vulnerability


==========================================================================
Ubuntu Security Notice USN-6217-1
July 11, 2023

dotnet6, dotnet7 vulnerability
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04
- Ubuntu 22.10
- Ubuntu 22.04 LTS

Summary:

The maximum failed attempts security feature for .NET could be bypassed.

Software Description:
- dotnet6: dotNET CLI tools and runtime
- dotnet7: dotNET CLI tools and runtime

Details:

McKee-Harris, Matt Cotterell, and Jack Moran discovered that .NET did
not properly update account lockout maximum failed attempts. An
attacker could possibly use this issue to bypass the security feature
and attempt to guess more passwords for an account.

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 23.04:
  aspnetcore-runtime-6.0  6.0.120-0ubuntu1~23.04.1
  aspnetcore-runtime-7.0  7.0.109-0ubuntu1~23.04.1
  dotnet-host     6.0.120-0ubuntu1~23.04.1
  dotnet-host-7.0   7.0.109-0ubuntu1~23.04.1
  dotnet-hostfxr-6.0 6.0.120-0ubuntu1~23.04.1
  dotnet-hostfxr-7.0 7.0.109-0ubuntu1~23.04.1
  dotnet-runtime-6.0  6.0.120-0ubuntu1~23.04.1
  dotnet-runtime-7.0  7.0.109-0ubuntu1~23.04.1
  dotnet-sdk-6.0  6.0.120-0ubuntu1~23.04.1
  dotnet-sdk-7.0  7.0.109-0ubuntu1~23.04.1
  dotnet6       6.0.120-0ubuntu1~23.04.1
  dotnet7       7.0.109-0ubuntu1~23.04.1

Ubuntu 22.10:
  aspnetcore-runtime-6.0  6.0.120-0ubuntu1~22.10.1
  aspnetcore-runtime-7.0  7.0.109-0ubuntu1~22.10.1
  dotnet-host     6.0.120-0ubuntu1~22.10.1
  dotnet-host-7.0   7.0.109-0ubuntu1~22.10.1
  dotnet-hostfxr-6.0 6.0.120-0ubuntu1~22.10.1
  dotnet-hostfxr-7.0 7.0.109-0ubuntu1~22.10.1
  dotnet-runtime-6.0  6.0.120-0ubuntu1~22.10.1
  dotnet-runtime-7.0  7.0.109-0ubuntu1~22.10.1
  dotnet-sdk-6.0  6.0.120-0ubuntu1~22.10.1
  dotnet-sdk-7.0  7.0.109-0ubuntu1~22.10.1
  dotnet6       6.0.120-0ubuntu1~22.10.1
  dotnet7       7.0.109-0ubuntu1~22.10.1

Ubuntu 22.04 LTS:
  aspnetcore-runtime-6.0  6.0.120-0ubuntu1~22.04.1
  aspnetcore-runtime-7.0  7.0.109-0ubuntu1~22.04.1
  dotnet-host     6.0.120-0ubuntu1~22.04.1
  dotnet-host-7.0   7.0.109-0ubuntu1~22.04.1
  dotnet-hostfxr-6.0 6.0.120-0ubuntu1~22.04.1
  dotnet-hostfxr-7.0 7.0.109-0ubuntu1~22.04.1
  dotnet-runtime-6.0  6.0.120-0ubuntu1~22.04.1
  dotnet-runtime-7.0  7.0.109-0ubuntu1~22.04.1
  dotnet-sdk-6.0  6.0.120-0ubuntu1~22.04.1
  dotnet-sdk-7.0  7.0.109-0ubuntu1~22.04.1
  dotnet6 6.0.120-0ubuntu1~22.04.1
  dotnet7       7.0.109-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-6217-1
  CVE-2023-33170

Package Information:
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~23.04.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~22.10.1
https://launchpad.net/ubuntu/+source/dotnet6/6.0.120-0ubuntu1~22.04.1
https://launchpad.net/ubuntu/+source/dotnet7/7.0.109-0ubuntu1~22.04.1