.NET May 2022 Updates – .NET 6.0.5, .NET 5.0.17 and, .NET Core 3.1.25
Today, we are releasing the .NET May 2022 Updates. These updates contain security and non-security improvements. See the individual release notes for details on updated packages.
You can download 6.0.5, 5.0.17 and, 3.1.25 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 6.0.5 | 5.0.17 | 3.1.25
- Release notes: 6.0.5 | 5.0.17 | 3.1.25
- Container images
- Linux packages: 6.0.5 | 5.0.17 | 3.1.25
- Release feedback/issue
- Known issues: 6.0 | 5.0 | 3.1
.NET 5.0 Out Of Support Starting May 10, 2022
May 2022 is the last update for .NET 5.0 and Microsoft will no longer provide servicing updates, including security fixes or technical support. Please update the version of .NET you are using to a supported version (.NET 6.0) in order to continue to receive updates.
Improvements
Security
CVE 2022-29117: .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.
CVE 2022-23267: .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.
CVE 2022-29145: .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can can cause a denial of service when HTML forms are parsed.
Visual Studio
See release notes for Visual Studio compatibility for .NET 6.0, .NET 5.0 and, .NET Core 3.1.
OS Lifecycle Update
Ubuntu 22.04 is now supported with the .NET 6.0.5, .NET 5.0.17, .NET Core 3.1.25 update. The operating system support pages for .NET 6.0, .NET 5.0, and .NET Core 3.1 have been updated to reflect that.
We are also aware of an Open SSL error on Arm32 architecture and are actively working to address. This issue is being tracked here.
Light
Dark
6 comments
I’ve been unable to download the latest .NET desktop runtime for hours now:
Fetched from here:
Is there an outage?
This URL seems to work though:
Hello, Ms. Whittaker. It looks like you’re going to be with us every patch Tuesday. 👍
There is something funny about these patches, though. Microsoft Update installed .NET 6.0.5 and 3.1.25 on machines that didn’t have any versions of .NET installed on them. I uninstalled them, but they came back! I caught Microsoft Update installing them. Is this an anomaly, or has Microsoft started pushing .NET over Microsoft Update?
Hi Mystery Man! Yes, I’ll be here on Patch Tuesday :). Thank you for the feedback! It is not expected to have .NET offer if you don’t already have a previous version of it installed on your PC. Can you please do the following so we can investigate?
• Run http://aka.ms/vscollect.exe which will produce a vslogs.zip file in your %temp% directory
• Open powershell and run the powershell cmdlet Get-WindowsUpdateLog which will generate a windowsupdate.log file on your desktop
• Send the resulting vslogs.zip and windowsupdate.log files to charitys@microsoft.com
• Note please do not attach the files to any github issue or comment as they may contain personal data
• In the email please note the operating system version you are on
Thanks so much,
Dominique
this comment has been deleted.
How will this all work with issues in Microsoft produced Nuget packages and security updates? It’s looking like automatic updates will only apply to the main .NET install and then developers will be on their own to re-deploy software with updated packages. Previously when all that goodness was baked into the .NET framework we got updates automatically. I’m not sure this Nuget idea for basic stuff is really a step forward, at least from a security perspective.
Thoughts and ideas for handling security updates smoothly?
Hi. Greetings from Costa Rica, pura vida.
I would like to know if there is a calendar where I can schedule my dotnet updates. I have to announce them to my clients and it would be great if I previously knew their release dates.
Thanks a lot