Today, we are releasing the .NET August 2023 Updates. These updates contain security and non-security improvements. Your app may be vulnerable if you have not deployed a recent .NET update.
You can download 7.0.10 and 6.0.21 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 7.0.10 | 6.0.21
- Release notes: 7.0.10 | 6.0.21
- Container images
- Linux packages: 7.0.10 | 6.0.21
- Release feedback/issue
- Known issues: 7.0 | 6.0
Windows Package Manager CLI (winget)
You can now install .NET updates using the Windows Package Manager CLI (winget):
- To install the .NET 7 runtime:
winget install dotnet-runtime-7
- To install the .NET 7 SDK:
winget install dotnet-sdk-7
- To update an existing installation:
winget upgrade
See Install with Windows Package Manager (winget) for more information.
Improvements
- ASP.NET Core: 7.0.10 | 6.0.21
- Entity Framework Core: 7.0.10 | 6.0.21
- Runtime: 7.0.10 | 6.0.21
- SDK: 7.0.10
- WPF: 7.0.10
Security
CVE-2023-38178 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET Kestrel where a malicious client can bypass QUIC stream limit in HTTP/3 in both ASP.NET and .NET runtimes resulting in denial of service.
CVE-2023-35390 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists when some dotnet commands are used in directories with weaker permissions which can result in remote code execution.
CVE-2023-38180 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1, .NET 6.0, and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in denial of service.
CVE-2023-35391 – .NET Information Disclosure Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET core 2.1, .NET 6.0 and, .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in ASP.NET Core 2.1, .NET 6.0 and, .NET 7.0 applications using SignalR when redis backplane use might result in information disclosure.
Visual Studio
See release notes for Visual Studio compatibility for .NET 7.0 and .NET 6.0.
Hello Rahul Bhandari,
Thank you for the info and the update.
Could you please let me know which is the best way to remove the old vulnerable versions with Intune? I’ve managed to deploy the 7.0.10 version with Intune and that works fine, but the old version still exists on those machines.
Thank you.
Hello Rahul,
Thank you for the update. Are these updates done on Azure App Service?
Hello, Rahul. Glad to see you are right on time as always. I appreciate it. Visual Studio update is also in. We’re cleared for deployment.