CVE-2023-44487: The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. " If you're using .NET 8.0, you should download and install .NET 8.0 RC2 Runtime or .NET 8.0 RC2 SDK (for Visual Studio 2022 v17.8) from https://dotnet.microsoft.com/download/dotnet-core/8.0. If you're using .NET 7.0, you should download and install Runtime 7.0.13 or SDK 7.0.113 (for Visual Studio 2022 v17.4) from https://dotnet.microsoft.com/download/dotnet-core/7.0. If you're using .NET 6.0, you should download and install Runtime 6.0.24 or SDK 6.0.319 (for Visual Studio 2022 v17.2) from https://dotnet.microsoft.com/download/dotnet-core/6.0." Maintainers, are we affected? Are there other dotnet packages which are affected? Do these versions equate directly to ours in tree?
I think the only one affected is source version of dotneat-sdk-7.0.
(In reply to Maciej Barć from comment #1) > I think the only one affected is source version of dotneat-sdk-7.0. We've never had any 6.0 or 8.0 versions that were affected?
From what I understand 8.0 is not affected, but 6.0 is, Im bumping it to new version that will use .NET runtime 6.0.25.
After further inspection most we can do now w/o stabilizations it to leve current stable 6.0 and 7.0 -bin slots. I will file stabilizations for NEW patch-release 6.0 and 7.0 -bin pkgs in a moment.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=215349c43af989cdebbd2c7e6b59d01167b72b70 commit 215349c43af989cdebbd2c7e6b59d01167b72b70 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:52:56 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:30 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 7.0.5 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-7.0.5.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44f2ea8a5653dddfaaeb23ecc1ddbd286b7847e0 commit 44f2ea8a5653dddfaaeb23ecc1ddbd286b7847e0 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:52:42 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:30 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 7.0.12 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-7.0.12.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d5330e85b8f5f3ad05300132649c98cd1ada4d8a commit d5330e85b8f5f3ad05300132649c98cd1ada4d8a Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:52:24 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:30 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 6.0.23 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-6.0.23.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9daf5be76894164f0ce006da06195ca239e82280 commit 9daf5be76894164f0ce006da06195ca239e82280 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:51:52 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:29 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 6.0.16 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-6.0.16.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d436ec927836c7d4635ba4ec2a2b8b3f5d860d7e commit d436ec927836c7d4635ba4ec2a2b8b3f5d860d7e Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:47:05 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:29 +0000 dev-dotnet/dotnet-sdk: drop old 7.0.105-r1 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk/Manifest | 1 - dev-dotnet/dotnet-sdk/dotnet-sdk-7.0.105-r1.ebuild | 104 --------------------- 2 files changed, 105 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1eb48cc31a953869ac5f813618bed7b81a358475 commit 1eb48cc31a953869ac5f813618bed7b81a358475 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:44:50 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:29 +0000 dev-dotnet/dotnet-sdk-bin: drop old 7.0.403 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 -- .../dotnet-sdk-bin/dotnet-sdk-bin-7.0.403.ebuild | 72 ---------------------- 2 files changed, 78 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f419cb3d4d4957634d4aba339851c13d816f6364 commit f419cb3d4d4957634d4aba339851c13d816f6364 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:44:39 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:29 +0000 dev-dotnet/dotnet-sdk-bin: drop old 7.0.402 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 -- .../dotnet-sdk-bin/dotnet-sdk-bin-7.0.402.ebuild | 72 ---------------------- 2 files changed, 78 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e06ece1a38e1a6c8555d00655745544403c05187 commit e06ece1a38e1a6c8555d00655745544403c05187 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:44:17 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:28 +0000 dev-dotnet/dotnet-sdk-bin: bump to 7.0.404 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 ++ .../dotnet-sdk-bin/dotnet-sdk-bin-7.0.404.ebuild | 72 ++++++++++++++++++++++ 2 files changed, 78 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3148022f72db87a3090931dffe509888af1f2c7d commit 3148022f72db87a3090931dffe509888af1f2c7d Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-24 19:35:15 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-24 20:09:28 +0000 dev-dotnet/dotnet-sdk-bin: bump to 6.0.417 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 ++ .../dotnet-sdk-bin/dotnet-sdk-bin-6.0.417.ebuild | 70 ++++++++++++++++++++++ 2 files changed, 76 insertions(+)
So, as I understand it, these are the affected versions? <dotnet-sdk-8.0.100 (I presume the RCs have the affected runtime?) <dotnet-sdk-bin-6.0.417 <dotnet-sdk-bin-7.0.404 And I don't think the nuget package is directly affected?
(In reply to John Helmert III from comment #6) > So, as I understand it, these are the affected versions? > > <dotnet-sdk-8.0.100 (I presume the RCs have the affected runtime?) > <dotnet-sdk-bin-6.0.417 > <dotnet-sdk-bin-7.0.404 This is correct. > And I don't think the nuget package is directly affected? They are but nobody actually runs them. They are only pulled by dotnet for build as they are bound to the .NET SDK version. They do contain affected code but nobody will ever extract that code and run it by itself.
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8c0ee0df611c52f753d2e07a1525642380392cfe commit 8c0ee0df611c52f753d2e07a1525642380392cfe Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-25 23:06:56 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-26 00:04:09 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 7.0.11 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-7.0.11.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cfeb81bd5e4dfb200174c8f78aa2f79ee1baec62 commit cfeb81bd5e4dfb200174c8f78aa2f79ee1baec62 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-25 23:06:46 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-26 00:04:09 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 6.0.22 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-6.0.22.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=058da8bad830aff23d38870efe251f67d47eee33 commit 058da8bad830aff23d38870efe251f67d47eee33 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-25 23:06:12 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-26 00:04:08 +0000 dev-dotnet/dotnet-runtime-nugets: drop old 6.0.12 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-runtime-nugets/Manifest | 20 -------- .../dotnet-runtime-nugets-6.0.12.ebuild | 59 ---------------------- 2 files changed, 79 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82386225e26a9f0b4833cef20153f07a9c1c9cca commit 82386225e26a9f0b4833cef20153f07a9c1c9cca Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-25 23:05:32 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-26 00:04:08 +0000 dev-dotnet/dotnet-sdk-bin: drop old 7.0.401-r1 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 -- .../dotnet-sdk-bin-7.0.401-r1.ebuild | 71 ---------------------- 2 files changed, 77 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7721f8e50183ca6da2972e3c6806e04c805c4756 commit 7721f8e50183ca6da2972e3c6806e04c805c4756 Author: Maciej Barć <xgqt@gentoo.org> AuthorDate: 2023-11-25 23:04:59 +0000 Commit: Maciej Barć <xgqt@gentoo.org> CommitDate: 2023-11-26 00:04:08 +0000 dev-dotnet/dotnet-sdk-bin: drop old 6.0.404-r1 Bug: https://bugs.gentoo.org/918418 Signed-off-by: Maciej Barć <xgqt@gentoo.org> dev-dotnet/dotnet-sdk-bin/Manifest | 6 -- .../dotnet-sdk-bin-6.0.404-r1.ebuild | 70 ---------------------- 2 files changed, 76 deletions(-)
Cleanup done.
Thanks! Any input on exploitability?
