Today, we are releasing the .NET Core May 2019 Update. These updates contain security and reliability fixes. See the individual release notes for details on updated packages.
NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.
- .NET Core 2.2.5 and .NET Core SDK ( Download | Release Notes )
- .NET Core 2.1.11 and .NET Core SDK ( Download | Release Notes )
- .NET Core 1.1.13 and .NET Core SDK ( Download | Release Notes )
- .NET Core 1.0.16 and .NET Core SDK ( Download | Release Notes )
Security
CVE-2019-0820: .NET Core Tampering Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 1.0, 1.1, 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists when .NET Core improperly processes RegEx strings. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET Core applications handle RegEx string processing.
CVE-2019-0980: ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists when .NET Core and ASP.NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core and ASP.NET Core application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET Core and ASP.NET Core web applications handle web requests.
CVE-2019-0981: ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core and ASP.NET Core 1.0, 1.1, 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A denial of service vulnerability exists when .NET Core and ASP.NET Core improperly handle web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core and ASP.NET Core application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET Core and ASP.NET Core web applications handle web requests.
CVE-2019-0982: ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
Getting the Update
The latest .NET Core updates are available on the .NET Core download page. This update is also included in the Visual Studio 15.0.22 (.NET Core 1.0 and 1.1) and 15.9.9 (.NET Core 1.0, 1.1 and 2.1) updates, which is also releasing today. Choose Check for Updates in the Help menu.
See the .NET Core release notes ( 1.0.16 | 1.1.13 | 2.1.11 | 2.2.5 ) for details on the release including issues fixed and affected packages.
Docker Images
.NET Docker images have been updated for today’s release. The following repos have been updated.
microsoft/dotnet
microsoft/dotnet-samples
microsoft/aspnetcore
Note: Look at the “Tags” view in each repository to see the updated Docker image tags.
Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.
Azure App Services deployment
Deployment of these updates Azure App Services has been scheduled and they estimate the deployment will be complete by May 26, 2019.
The post .NET Core May 2019 Updates – 1.0.16, 1.1.14, 2.1.11 and 2.2.5 appeared first on .NET Blog.