May 12th, 2020

.NET Core May 2020 Updates – 2.1.18 and 3.1.4

Rahul Bhandari (MSFT)
Senior Program Manager

Today, we are releasing the .NET Core May 2020 Update. These updates contain security and reliability fixes. See the individual release notes for details on updated packages.

NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.

Getting the Update

The latest .NET Core updates are available on the .NET Core download page. This update will be included in a future update of Visual Studio.

See the .NET Core release notes ( 2.1.18 | 3.1.4 ) for details on the release, including issues fixed and affected packages.

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.

Note: You must pull updated .NET Core container images to get this update, with either docker pull or docker build --pull.

Lifecycle Updates

Ubuntu 20.04 has been added as a supported OS with this update of .NET Core.

.NET Core is now available natively in the Fedora 32 package archives. See the Fedora documentation for details.

Security

CVE-2020-1108: .NET Core Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability which exists when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.

The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

CVE-2020-1161: ASP.NET Core Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability which exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.

A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.

The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.

 

Category
.NET

Author

Rahul Bhandari (MSFT)
Senior Program Manager

I am a Program Manager on .NET team. I specializes in .NET release processes. University of Florida Alumnus.

1 comment

Discussion is closed. Login to edit/delete existing comments.

  • Guillaume Renard

    Where can we find details on the vulnerabilities? The MITRE reports simply say “This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”