Subject: [ASA-202103-17] dotnet-sdk: multiple issues Arch Linux Security Advisory ASA-202103-17 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2021-1721 CVE-2021-1723 CVE-2021-24112 Package : dotnet-sdk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1449 Summary ======= The package dotnet-sdk before version 5.0.3.sdk103-2 is vulnerable to multiple issues including arbitrary code execution and denial of service. Resolution ========== Upgrade to 5.0.3.sdk103-2. # pacman -Syu "dotnet-sdk>=5.0.3.sdk103-2" The problems have been fixed upstream in version 5.0.3.sdk103. Workaround ========== None. Description =========== - CVE-2021-1721 (denial of service) A security issue was found in dotnet-core before version 3.1.12. A denial-of-service vulnerability exists when creating HTTPS web request during X509 certificate chain building. - CVE-2021-1723 (denial of service) A flaw was found in dotnet-core before version 3.1.11. Running callbacks outside of locks results in Krestel deadlock using HTTP2. - CVE-2021-24112 (arbitrary code execution) A remote code execution vulnerability exists in dotnet-core before version 3.1.12 when parsing certain types of graphics files. This vulnerability only exists on systems running on MacOS or Linux. Impact ====== A malicious client can send crafted HTTP requests and crash the server, or execute arbitrary code by reading a crafted file. References ========== https://bugs.archlinux.org/task/69317 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1721 https://github.com/dotnet/announcements/issues/175 https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1723 https://github.com/dotnet/announcements/issues/170 https://github.com/dotnet/aspnetcore/commit/20ad9fa5dcde635c13c6c83806c4701d5b7ec21e https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24112 https://github.com/dotnet/announcements/issues/176 https://security.archlinux.org/CVE-2021-1721 https://security.archlinux.org/CVE-2021-1723 https://security.archlinux.org/CVE-2021-24112