A denial-of-service vulnerability exists in the way Kestrel parses HTTP/2 requests. The security update addresses the vulnerability by fixing the way the Kestrel parses HTTP/2 requests. Users are advised to upgrade.
References
- https://nvd.nist.gov/vuln/detail/CVE-2021-1723
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3L27CGRVEWUPELNJOGTCW6GLEDBECB4B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RRXHERXW4KR5WCP76UDW5PC7GX3YQLUW/
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1723
- https://github.com/dotnet/announcements/issues/170
- https://github.com/advisories/GHSA-242j-2gm6-5rwx