January 9th, 2024

.NET January 2024 Updates – .NET 8.0.1, 7.0.15, .NET 6.0.26

Rahul Bhandari (MSFT)
Senior Program Manager

Today, we are releasing the .NET January 2024 Updates. These updates contain security and non-security improvements. Your app may be vulnerable if you have not deployed a recent .NET update.

You can download 8.0.1, 7.0.15 and, 6.0.26 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.

Windows Package Manager CLI (winget)

You can now install .NET updates using the Windows Package Manager CLI (winget):

  • To install the .NET 8 runtime: winget install dotnet-runtime-8
  • To install the .NET 8 SDK: winget install dotnet-sdk-8
  • To update an existing installation: winget upgrade

See Install with Windows Package Manager (winget) for more information.

Improvements

Security

CVE-2024-0056 – Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET’s System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.

CVE-2024-0057- .NET Security Feature bypass Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A security feature bypass vulnerability exists when Microsoft .NET Framework-based applications use X.509 chain building APIs but do not completely validate the X.509 certificate due to a logic flaw. An attacker could present an arbitrary untrusted certificate with malformed signatures, triggering a bug in the framework. The framework will correctly report that X.509 chain building failed, but it will return an incorrect reason code for the failure. Applications which utilize this reason code to make their own chain building trust decisions may inadvertently treat this scenario as a successful chain build. This could allow an adversary to subvert the app’s typical authentication logic.

CVE-2024-21319 – .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.

A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

Visual Studio

See release notes for Visual Studio compatibility for .NET 8.0, .NET 7.0 and, .NET 6.0.

Author

Rahul Bhandari (MSFT)
Senior Program Manager

I am a Program Manager on .NET team. I specializes in .NET release processes. University of Florida Alumnus.

3 comments

Discussion is closed. Login to edit/delete existing comments.

  • Constantine Burtsev

    No updates for NET. MAUI, disappointing(( Although there are critical bugs with Flyout (Android version) and last update was 2 weeks ago((

  • Ashish Sinha

    Typo in January

    Check out latest Janaury 2024 updates for .NET 7.0 and .NET 6.0

  • Rigg, Bruce (Reigate)

    8.0.1 does not fix

    dotnet watch test

    very disappointing