Today, we are releasing the .NET March 2022 Updates. These updates contain reliability and security improvements. See the individual release notes for details on updated packages.
You can download 6.0.3, 5.0.15 and, 3.1.23 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 6.0.3 | 5.0.15 | 3.1.23
- Release notes: 6.0.3 | 5.0.15 | 5.0.15
- Container images
- Linux packages: 6.0.3 | 5.0.15 | 3.1.23
- Release feedback/issue
- Known issues: 6.0 | 5.0 | 3.1
Improvements
Security
CVE-2020-8927: .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 5.0 and .NET Core 3.1 where a buffer overflow exists in the Brotli library versions prior to 1.0.8.
CVE-2022-24464: .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET CORE 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a Denial of Service vulnerability, which exists in .NET 6.0, .NET 5.0, and .NET CORE 3.1 when parsing certain types of http form requests.
CVE-2022-24512: .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0, and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Remote Code Execution vulnerability exists in .NET 6.0, .NET 5.0, and .NET Core 3.1 where a stack buffer overrun occurs in .NET Double Parse routine.
Visual Studio
See release notes for Visual Studio compatibility for .NET 6.0, .NET 5.0 and, .NET Core 3.1.
For the .Net framework cumulative updates, they keep getting released as “Preview” (and they’re listed as Preview in Windows updates), and yet Windows Update auto-installs them. If it’s truly a preview and a there will be a later update coming that’s the real version, Windows update should not auto-install it. If it’s the real version and no later one is coming, then don’t call it a Preview.
The “Release notes” line lists 5.0.15 twice, instead of 3.1.23. Also, the link for what should be 3.1.23 has 3.0.23 in the url; looks like it should be this instead:
https://github.com/dotnet/core/blob/main/release-notes/3.1/3.1.23/3.1.23.md
One Windows Update observation:
1) .NET 6.0.x Desktop Runtime does not seem to get updated, but 5.0.x and 3.1.x does. Is that expected? I got x64 6.0.2.
Edit: Seems they are abailble though: https://www.catalog.update.microsoft.com/Search.aspx?q=.net%206.0.3%20security%20update
As KB5012417.
1) When will .NET Runtime 6.0.3 be available on Azure App Services (Windows & Linux)?
2) Can .NET App (deployed as “Framework-Dependent”) that uses NuGet packages (eg: Microsoft.EntityFrameworkCore.SqlServer version 6.0.3) run on Azure App Service that does not have latest version of .NET Runtime 6.0.3?
We just changed to self-contained deployement, because we saw that linux app services are still on .net6.0.0 and windows app services on .net6.0.1. Just add –runtime linux-x64 –self-contained true to your dotnet publish commands.
1) I am also curious about when this will be released on Azure App Services (Windows).
2) I can confirm it does work in the Azure environment, but we have an issue using Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation within the Azure environment with the 6.0.3 versions. We are hoping when Azure gets the latest runtimes, this will go away as it does not cause any issue locally.