Bug 1512982 (CVE-2017-8585)
Summary: | CVE-2017-8585 .NET Core: DoS via invalid culture | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Trevor Jay <tjay> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | bgollahe, dbhole, kanderso, lzachar, omajid, rwagner, security-response-team |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | dotnetcore 1.0.7, dotnetcore 1.1.4 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2017-12-01 11:34:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1513073, 1513074, 1513076, 1513077 | ||
Bug Blocks: | 1512757 |
Description
Trevor Jay
2017-11-14 14:46:20 UTC
The upstream note about this CVE (https://github.com/dotnet/announcements/issues/34) states: """ System administrators are advised to update their .NET Core runtimes to versions 1.0.7 and 1.1.4. """ It looks like this was fixed even before .NET Core 1.1.5 and 1.0.8. The announcement also states: """ .NET Core 1.x applications are only affected if running on Windows 10 or Windows 2016. """ This doesnt appear to affect Linux. But due to how self-contained applications can be built for other platforms, this needs to be fixed everywhere. This issue has been addressed in the following products: dotNET on RHEL Via RHSA-2017:3248 https://access.redhat.com/errata/RHSA-2017:3248 Further details of this issue can be found in the upstream Microsoft advisories, and the advisory form the original reporter. https://github.com/dotnet/announcements/issues/34 https://github.com/dotnet/corefx/issues/24703 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8585 https://www.sidertia.com/Home/Community/Blog/2017/07/14/Microsoft-fixes-the-CVE-2017-8585-security-vulnerability-discovered-by-Sidertia-Team |