Bug 1673891 (CVE-2019-0657) - CVE-2019-0657 dotnet: Domain-spoofing attack in System.Uri
Summary: CVE-2019-0657 dotnet: Domain-spoofing attack in System.Uri
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-0657
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1673896
TreeView+ depends on / blocked
 
Reported: 2019-02-08 11:47 UTC by Dhananjay Arunesh
Modified: 2020-04-22 03:35 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-02 23:50:28 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0349 0 None None None 2019-02-14 04:40:04 UTC

Description Dhananjay Arunesh 2019-02-08 11:47:10 UTC 
It was found that the IdnHost property of System.Uri in .NET core insufficiently validates input. Certain Unicode characters can incorrectly change the meaning of the URI when IDN encoding is applied.
Comment 2 errata-xmlrpc 2019-02-14 04:40:03 UTC 
This issue has been addressed in the following products:

  .NET Core on Red Hat Enterprise Linux

Via RHSA-2019:0349 https://access.redhat.com/errata/RHSA-2019:0349
Comment 3 Riccardo Schirone 2019-03-29 13:26:54 UTC 
Reference:
https://github.com/dotnet/announcements/issues/97
Comment 4 Riccardo Schirone 2019-03-29 18:40:36 UTC 
Upstream patch:
https://github.com/dotnet/corefx/commit/b8654425442fef4ba4b58510be53d9859887be1a
Comment 6 Riccardo Schirone 2019-05-07 12:06:47 UTC 
Reference:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0657
Note You need to log in before you can comment on or make changes to this bug.