Permalink
Find file Copy path
9740e10 Jan 11, 2019
2 contributors

Users who have contributed to this file

@leecow @vivmishra
236 lines (191 sloc) 20.1 KB

.NET Core 2.1.7 Update - January 08, 2019

.NET Core 2.1.7 is available for download and usage in your environment. This release includes .NET Core 2.1.7, ASP.NET Core 2.1.7 and .NET Core SDK 2.1.503.

We've created an issue at dotnet/core #2210 for your questions and comments.

Downloads

SDK Installer1 SDK Binaries1 Runtime Installer Runtime Binaries ASP.NET Core Runtime
Windows x86 | x64 x86 | x64 x86 | x64 x86 | x64 x86 | x64
Hosting Bundle2
macOS x64 x64 x64 x64 x641
Linux See installations steps below x64 | ARM | ARM64 | x64 Alpine - x64 | ARM | ARM64 | x64 Alpine] x641 | ARM321 | x64 Alpine1
RHEL6 - x64 - x64 -
Checksums SDK - Runtime - -
Symbols CLI | SDK - Runtime | Shared Framework | Setup - ASP.NET Core
  1. Includes the .NET Core and ASP.NET Core Runtimes
  2. For hosting stand-alone apps on Windows Servers. Includes the ASP.NET Core Module for IIS and can be installed separately on servers without installing .NET Core runtime.

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in "Staying up-to-date with .NET Container Images".

The following repos have been updated

Azure AppServices

  • .NET Core 2.1.7 is being deployed to Azure App Services and the deployment is expected to complete in a couple of days.

.NET Core Lifecycle News

See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.

The following OS version has changed support status since our last release:

  • Fedora 27 reached end of life on November 30, 2018 and is no longer supported by .NET Core.

Changes in 2.1.7

.NET Core 2.1.7 release carries both security and non-security fixes. In addition to the listed vulnerabilities (see CVEs below) support for new Japanese calendar eras has been added and there are some Cryptography fixes.

All fixes of note can be seen in the 2.1.7 commits list.

  • CVE-2019-0545: .NET Core Information Disclosure Vulnerability

    The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.

    Affected Package and Binary updates

    Package name Vulnerable versions Secure versions
    Microsoft.NETCore.App (System.Net.Http) 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7
  • CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability

    This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.

    Affected Package and Binary updates

    Package name Vulnerable versions Secure versions
    AspNetCoreModule (ANCM) Prior to 12.1.18346.0 >=12.1.18346.0
  • CVE-2019-0564: ASP.NET Core Denial Of Service Vulnerability

    This security vulnerability exists when ASP.NET Core 2.1 and 2.2 improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

    A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.

    Package and Binary updates

    Package name Vulnerable versions Secure versions
    Microsoft.AspNetCore.WebSockets 2.2.0
    2.1.0, 2.1.1
    2.2.1
    2.1.7
    Microsoft.AspNetCore.Server.Kestrel.Core 2.1.0, 2.1.1, 2.1.2, 2.1.3 2.1.7
    System.Net.WebSockets.WebSocketProtocol 4.5.0, 4.5.1, 4.5.2 4.5.3
    Microsoft.NETCore.App 2.2.0
    2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6
    2.2.1
    2.1.7
    Microsoft.AspNetCore.App 2.2.0
    2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6
    2.2.1
    2.1.7
    Microsoft.AspNetCore.All 2.2.0
    2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6
    2.2.1
    2.1.7
  • CVE-2018-8416: .NET Core Tampering Vulnerability

    A security vulnerability exists wherein .NET Core 2.1 improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.

    To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system

    Package and Binary updates

    Package name Vulnerable versions Secure versions
    Microsoft.NETCore.App* 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 2.1.7

    * Updated Microsoft.NETCore.App contains System.IO.Compression.ZipFile.dll version 4.3.1, which is not available separately on nuget.org.

Packages updated in this release:

Package name Version
dotnet-aspnet-codegenerator 2.1.7
Microsoft.AspNetCore 2.1.7
Microsoft.AspNetCore.All 2.1.7
Microsoft.AspNetCore.App 2.1.7
Microsoft.AspNetCore.Server.IISIntegration 2.1.7
Microsoft.AspNetCore.Server.Kestrel.Core 2.1.7
Microsoft.AspNetCore.WebSockets 2.1.7
Microsoft.NETCore.App 2.1.7
Microsoft.NETCore.DotNetAppHost 2.1.7
Microsoft.NETCore.DotNetHost 2.1.7
Microsoft.NETCore.DotNetHostPolicy 2.1.7
Microsoft.NETCore.DotNetHostResolver 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.Contracts 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.Core 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.Design 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.EntityFrameworkCore 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.Templating 2.1.7
Microsoft.VisualStudio.Web.CodeGeneration.Utils 2.1.7
Microsoft.VisualStudio.Web.CodeGenerators.Mvc 2.1.7
runtime.linux-arm.Microsoft.NETCore.App 2.1.7
runtime.linux-arm.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.linux-arm.Microsoft.NETCore.DotNetHost 2.1.7
runtime.linux-arm.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.linux-arm.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.linux-arm64.Microsoft.NETCore.App 2.1.7
runtime.linux-arm64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.linux-arm64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.linux-arm64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.linux-arm64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.linux-musl-x64.Microsoft.NETCore.App 2.1.7
runtime.linux-musl-x64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.linux-x64.Microsoft.NETCore.App 2.1.7
runtime.linux-x64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.linux-x64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.linux-x64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.linux-x64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.osx-x64.Microsoft.NETCore.App 2.1.7
runtime.osx-x64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.osx-x64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.osx-x64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.osx-x64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.rhel.6-x64.Microsoft.NETCore.App 2.1.7
runtime.rhel.6-x64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.win-arm.Microsoft.NETCore.App 2.1.7
runtime.win-arm.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.win-arm.Microsoft.NETCore.DotNetHost 2.1.7
runtime.win-arm.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.win-arm.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.win-arm64.Microsoft.NETCore.App 2.1.7
runtime.win-arm64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.win-arm64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.win-arm64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.win-arm64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.win-x64.Microsoft.NETCore.App 2.1.7
runtime.win-x64.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.win-x64.Microsoft.NETCore.DotNetHost 2.1.7
runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.win-x64.Microsoft.NETCore.DotNetHostResolver 2.1.7
runtime.win-x86.Microsoft.NETCore.App 2.1.7
runtime.win-x86.Microsoft.NETCore.DotNetAppHost 2.1.7
runtime.win-x86.Microsoft.NETCore.DotNetHost 2.1.7
runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy 2.1.7
runtime.win-x86.Microsoft.NETCore.DotNetHostResolver 2.1.7
System.IO.Pipelines 4.5.3
System.Memory 4.5.2
System.Net.Http.WinHttpHandler 4.5.2
System.Net.WebSockets.WebSocketProtocol 4.5.3
System.Security.Cryptography.Pkcs 4.5.2
System.Text.Encoding.CodePages 4.5.1
System.Threading.Tasks.Extensions 4.5.2