.NET January 2024 Update - .NET 8.0.1, NET 7.0.15, .NET 6.0.26

[rbhanda]

.NET January 2024 Update

Release Notes

• 8.0.1
• 7.0.15
• 6.0.26

Status

Asset Type	8.0.1	7.0.15	6.0.26	Notes
Installers/Binaries	✅	✅	✅
Snaps	✅	✅	✅
Linux Packages (Microsoft distribution)			The list below refers to the Microsoft-provisioned feeds (packages.microsoft.com) and does not in any way represent direct availability in distros (eg RHEL, Fedora).
Centos 7	NA	✅	✅
Centos 8	✅	✅	✅
Debian 10	✅	✅	✅
Debian 11	✅	✅	✅
Debian 12	✅	✅	✅
Fedora 37	✅	✅	✅
Fedora 38	✅	✅	✅
Fedora 39	✅	✅	✅
OpenSUSE 15	✅	✅	✅
Ubuntu 20.04	✅	✅	✅
Ubuntu 22.04	✅	✅	✅
Ubuntu 23.04	✅	✅	✅

Issues

Please report any issues you find either by responding to this issue, creating a new issue or creating a new issue in one of the following repos:

• ASP.NET Core: dotnet/aspnetcore
• Entity Framework Core: dotnet/efcore
• .NET CLI/SDK dotnet/sdk
• .NET runtime dotnet/runtime
• Winforms: dotnet/winforms
• WPF: dotnet/wpf
• NuGet: nuget/home
• Containers: dotnet/dotnet-docker
• Winget: microsoft/winget-pkgs

Known Issues

[JulijaRamoskiene]

It is announced that 6.0.26 has CVE-2024-0056 fix. When I try to add "Microsoft.EntityFrameworkCore.SqlServer 6.0.26" package dependency to my project, I see that it has reference to Microsoft.Data.SqlClient 2.1.4 version. As I understand 2.1.4 version is vulnerable, and 2.1.7 should be used.
Is it correct that it is not enough to update "Microsoft.EntityFrameworkCore.SqlServer" package to 6.0.26, I also need to add direct reference to Microsoft.Data.SqlClient 2.1.7?
Links:
Microsoft.EntityFrameworkCore.SqlServer 6.0.26 is described as safe here:
https://github.com/dotnet/core/blob/main/release-notes/6.0/6.0.26/6.0.26.md
Microsoft.Data.SqlClient 2.1.7 is marked as safe here:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0056

And finally this announcement says that all <3.1.5 versions of Microsoft.Data.SqlClient are vulnerable:
dotnet/announcements#292

[ajcvickers]

Is it correct that it is not enough to update "Microsoft.EntityFrameworkCore.SqlServer" package to 6.0.26, I also need to add direct reference to Microsoft.Data.SqlClient 2.1.7?

Yes.

[simonhaines]

It appears the packages in the packages-microsoft-com-prod repository for Fedora are broken because the dependency dotnet-runtime-deps-8.0-8.0.1 is missing.

 Problem: package aspnetcore-runtime-8.0-8.0.1-1.x86_64 from packages-microsoft-com-prod requires dotnet-runtime-8.0 >= 8.0.1, but none of the providers can be installed
  - cannot install the best candidate for the job
  - nothing provides dotnet-runtime-deps-8.0 >= 8.0.1 needed by dotnet-runtime-8.0-8.0.1-1.x86_64 from packages-microsoft-com-prod
================================================================================
 Package                 Arch    Version     Repository                    Size
================================================================================
Skipping packages with broken dependencies:
 aspnetcore-runtime-8.0  x86_64  8.0.1-1     packages-microsoft-com-prod   10 M
 dotnet-runtime-8.0      x86_64  8.0.1-1     packages-microsoft-com-prod   29 M

[leecow]

@simonhaines - which version of Fedora are you using? I just successfully installed dotnet-sdk-8.0 (8.0.101) through Fedora 37 (end-of-life as of 12/2023), 38, and 39 so hopefully things are working for you now.

[simonhaines]

Thanks @leecow , the issue is with the packages-microsoft-com-prod repository, which at one time must have been the official way to install dotnet on Fedora (I remember having to import a key for it once).

For others facing this issue, you can determine if you have this repository enabled:

~ $ sudo dnf repolist
repo id                      repo name
packages-microsoft-com-prod  packages-microsoft-com-prod
...

A quick look into this repository reveals that most packages have version 8.0.1 except for dotnet-runtime-deps-8.0 which is still on 8.0.0.

~ $ sudo dnf search dotnet --repo packages-microsoft-com-prod
...
Last metadata expiration check: 0:27:38 ago on Thu 18 Jan 2024 09:37:41.
======================== Name & Summary Matched: dotnet ========================
dotnet-runtime-deps-8.0.x86_64 : dotnet-runtime-deps-rhel.8 8.0.0
============================= Name Matched: dotnet =============================
dotnet-apphost-pack-8.0.x86_64 : Microsoft.NETCore.App.Host 8.0.1
dotnet-host.x86_64 : Microsoft .NET Host - 8.0.1
dotnet-hostfxr-8.0.x86_64 : Microsoft .NET Host FX Resolver - 8.0.1
dotnet-runtime-8.0.x86_64 : Microsoft.NETCore.App.Runtime 8.0.1
dotnet-sdk-8.0.x86_64 : Microsoft .NET SDK 8.0.101 8.0.101
dotnet-targeting-pack-8.0.x86_64 : Microsoft.NETCore.App.Ref 8.0.1
dotnet-templates-8.0.x86_64 : .NET 8.0 templates

I assume, from the documentation at https://learn.microsoft.com/en-us/dotnet/core/install/linux-fedora that this repository is no longer the official way of installing dotnet packages, so all installed packages should be removed and re-installed from the Fedora updates repo:

~ $ sudo dnf install dotnet-sdk-8.0 --disablerepo packages-microsoft-com-prod

To disable the broken repository altogether:

~ $ sudo dnf config-manager --set-disabled packages-microsoft-com-prod

Better now, thanks.

[petr-felzmann]

Is it correct that it is not enough to update "Microsoft.EntityFrameworkCore.SqlServer" package to 6.0.26, I also need to add direct reference to Microsoft.Data.SqlClient 2.1.7?

Yes.

Why Microsoft.EntityFrameworkCore.SqlServer v6.0.26 did not increase the dependency version of Microsoft.Data.SqlClient to >=2.1.7? Isn't it bug?

[Slotter881]

---

[rbhanda]

closing in favor of #9163