Permalink
6651b81 Sep 11, 2018
1 contributor

Users who have contributed to this file

142 lines (101 sloc) 12.7 KB

.NET Core September 2018 Update - Sep 11, 2018

.NET Core 2.1.4 is available for download and usage in your environment. This release includes .NET Core 2.1.4, ASP.NET Core 2.1.4 and .NET Core SDK 2.1.402. All fixes of note can be seen in the 2.1.4 commits list.

Visit the .NET Core blog to read more about this release. Your feedback is important and appreciated. We've created an issue at dotnet/core #1932 for your questions and comments.

Downloads

SDK Installer* SDK Binaries* Runtime Installer Runtime Binaries ASP.NET Core Runtime
Windows x86 | x64 x86 | x64 x86 | x64 x86 | x64 x86 | x64
Hosting Bundle
macOS x64 x64 x64 x64 x64
Linux See installations steps below x64 | ARM | ARM64 | x64 Alpine - x64 | ARM | ARM64 | x64 Alpine x64 | ARM32 | x64 Alpine
RHEL6 - x64 - x64 -
Checksums SDK - Runtime - -
Symbols - - Runtime | Shared Framework | Setup - ASP.NET Core

* Includes the .NET Core and ASP.NET Core runtimes

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in "Staying up-to-date with .NET Container Images".

The following repos have been updated

Azure AppServices

  • Deployment of .NET Core 2.1.4 to Azure App Services will begin on today, September 11, 2018. Deployment will proceed to additional regions and is expected to be complete by the end of the week.

.NET Core Lifecycle News

See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.

Supported Linux version changes

No changes in support for September.

Notable Changes in 2.1.4

CVE-2018-8409: .NET Core Denial Of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability in .NET Core when System.IO.Pipelines improperly handles requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an application that is leveraging System.IO.Pipelines. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by providing specially crafted requests to the application.

The update addresses the vulnerability by correcting how System.IO.Pipelines handles requests.

Package and Binary updates

Package name Vulnerable versions Secure versions
System.IO.Pipelines 4.5.0 4.5.1

CVE-2018-8409: ASP.NET Core Denial Of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by providing a specially crafted web requests to the ASP.NET Core application.

The update addresses the vulnerability by correcting how ASP.NET Core handles parsing web requests.

Package and Binary updates

Package name Vulnerable versions Secure versions
Microsoft.AspNetCore.All 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.4
Microsoft.AspNetCore.App 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.4
System.IO.Pipelines 4.5.0 4.5.1