Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

197 lines (131 sloc) 18.8 KB

.NET Core 3.0.2 Update - January 14, 2020

.NET Core 3.0.2 is available for download and usage in your environment. This release includes .NET Core 3.0.2 and .NET Core SDK 3.0.102.

Your feedback is important and appreciated. We've created an issue at dotnet/core #4119 for your questions and comments.

Downloads

SDK Installer1 SDK Binaries1 Runtime Installer Runtime Binaries ASP.NET Core Runtime Windows Desktop Runtime
Windows x86 | x64 x86 | x64 | ARM x86 | x64 x86 | x64 | ARM x86 | x64 | ARM |
Hosting Bundle2
x86 | x64
macOS x64 x64 x64 x64 x641 -
Linux Snap Install x64 | ARM | ARM64 | x64 Alpine - x64 | ARM | ARM64 | x64 Alpine x641 | ARM1 | ARM641 | x64 Alpine1 -
Checksums SDK - Runtime - - -
  1. Includes the .NET Core and ASP.NET Core Runtimes
  2. For hosting stand-alone apps on Windows Servers. Includes the ASP.NET Core Module for IIS and can be installed separately on servers without installing .NET Core runtime.

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in "Staying up-to-date with .NET Container Images".

The following repos have been updated

The images are expected to be available later today.

Azure AppServices

  • .NET Core 3.0.2 is being deployed to Azure App Services and the deployment is expected to complete later in January 2020.

.NET Core Lifecycle News

.NET Core 2.2 reached end of life on December 23, 2019. This means .NET Core 2.2 is no longer supported and updates will no longer be provided. We recommend moving to .NET Core 3.1, our long term support (LTS) release.

.NET Core 3.0 will reach end of life on March 3, 2020 which is 3 months after the release of .NET Core 3.1. You can view the Microsoft Support for .NET Core for more information about life-cycle of each product.

Fedora 29 has been out of support since November 29, 2019 and .NET Core no longer provides support for it.

Ubuntu 19.04 will be out of support on January 23, 2020.

See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.

Changes in 3.0.2

.NET Core 3.0.2 release carries both security and non-security fixes.

CVE-2020-0602: ASP.NET Core Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.

The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.

Affected Package and Binary updates

Package name Vulnerable versions Secure versions
Microsoft.AspNetCore.Http.Connections 1.0.0 - 1.0.4 1.0.15
Microsoft.AspNetCore.App 2.1.0 - 2.1.14
3.0.0
3.1.0
2.1.15
3.0.1
3.1.1
Microsoft.AspNetCore.All 2.1.0 - 2.1.14 2.0.15

CVE-2020-0603: ASP.NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.

The update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.

Affected Package and Binary updates

Package name Vulnerable versions Secure versions
Microsoft.AspNetCore.Http.Connections 1.0.0 - 1.0.4 1.0.15
Microsoft.AspNetCore.App 2.1.0 - 2.1.14
3.0.0
3.1.0
2.1.15
3.0.1
3.1.1
Microsoft.AspNetCore.All 2.1.0 - 2.1.14 2.1.15

CVE-2020-0605: .NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.

Package name Vulnerable versions Secure versions
Microsoft.WindowsDesktop.App 3.0.0 - 3.0.1 3.0.2
Microsoft.WindowsDesktop.App 3.1.0 3.1.1

CVE-2020-0606: .NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.

Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.

The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.

Package name Vulnerable versions Secure versions
Microsoft.WindowsDesktop.App 3.0.0 - 3.0.1 3.0.2
Microsoft.WindowsDesktop.App 3.1.0 3.1.1

Additional fixes in this release

You can’t perform that action at this time.