Today, we are releasing the .NET January 2024 Updates. These updates contain security and non-security improvements. Your app may be vulnerable if you have not deployed a recent .NET update.
You can download 8.0.1, 7.0.15 and, 6.0.26 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 8.0.1 |7.0.15 | 6.0.26
- Release notes: 8.0.1 | 7.0.15 | 6.0.26
- Container images
- Linux packages: 8.0.1 | 7.0.15 | 6.0.26
- Release feedback/issue
- Known issues: 8.0 | 7.0 | 6.0
Windows Package Manager CLI (winget)
You can now install .NET updates using the Windows Package Manager CLI (winget):
- To install the .NET 8 runtime:
winget install dotnet-runtime-8
- To install the .NET 8 SDK:
winget install dotnet-sdk-8
- To update an existing installation:
winget upgrade
See Install with Windows Package Manager (winget) for more information.
Improvements
- ASP.NET Core: 8.0.1 | 7.0.15 | 6.0.26
- Entity Framework Core: 8.0.1
- Roslyn-Analysers: 8.0.1
- Runtime: 8.0.1 | 7.0.15 | 6.0.26
- SDK: 8.0.1
- WPF: 8.0.1
Security
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET’s System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
CVE-2024-0057- .NET Security Feature bypass Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A security feature bypass vulnerability exists when Microsoft .NET Framework-based applications use X.509 chain building APIs but do not completely validate the X.509 certificate due to a logic flaw. An attacker could present an arbitrary untrusted certificate with malformed signatures, triggering a bug in the framework. The framework will correctly report that X.509 chain building failed, but it will return an incorrect reason code for the failure. Applications which utilize this reason code to make their own chain building trust decisions may inadvertently treat this scenario as a successful chain build. This could allow an adversary to subvert the app’s typical authentication logic.
CVE-2024-21319 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.
Visual Studio
See release notes for Visual Studio compatibility for .NET 8.0, .NET 7.0 and, .NET 6.0.
No updates for NET. MAUI, disappointing(( Although there are critical bugs with Flyout (Android version) and last update was 2 weeks ago((
Typo in January
Check out latest Janaury 2024 updates for .NET 7.0 and .NET 6.0
8.0.1 does not fix
very disappointing