May 10th, 2022

.NET May 2022 Updates – .NET 6.0.5, .NET 5.0.17 and, .NET Core 3.1.25

Dominique Whittaker
Senior Program Manager

Today, we are releasing the .NET May 2022 Updates. These updates contain security and non-security improvements. See the individual release notes for details on updated packages.

You can download 6.0.5, 5.0.17 and, 3.1.25 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.

.NET 5.0 Out Of Support Starting May 10, 2022

May 2022 is the last update for .NET 5.0 and Microsoft will no longer provide servicing updates, including security fixes or technical support. Please update the version of .NET you are using to a supported version (.NET 6.0) in order to continue to receive updates.

Improvements

Security

CVE 2022-29117: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.

CVE 2022-23267: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.

CVE 2022-29145: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can can cause a denial of service when HTML forms are parsed.

Visual Studio

See release notes for Visual Studio compatibility for .NET 6.0, .NET 5.0 and, .NET Core 3.1.

OS Lifecycle Update

Ubuntu 22.04 is now supported with the .NET 6.0.5, .NET 5.0.17, .NET Core 3.1.25 update. The operating system support pages for .NET 6.0, .NET 5.0, and .NET Core 3.1 have been updated to reflect that.

We are also aware of an Open SSL error on Arm32 architecture and are actively working to address. This issue is being tracked here.

Author

Dominique Whittaker
Senior Program Manager

6 comments

Discussion is closed. Login to edit/delete existing comments.

  • AlanW

    Hi. Greetings from Costa Rica, pura vida.
    I would like to know if there is a calendar where I can schedule my dotnet updates. I have to announce them to my clients and it would be great if I previously knew their release dates.
    Thanks a lot

  • John Dyer

    How will this all work with issues in Microsoft produced Nuget packages and security updates? It's looking like automatic updates will only apply to the main .NET install and then developers will be on their own to re-deploy software with updated packages. Previously when all that goodness was baked into the .NET framework we got updates automatically. I'm not sure this Nuget idea for basic stuff is really a step forward, at...

    Read more
  • Flux

    Hello, Ms. Whittaker. It looks like you’re going to be with us every patch Tuesday. 👍

    There is something funny about these patches, though. Microsoft Update installed .NET 6.0.5 and 3.1.25 on machines that didn’t have any versions of .NET installed on them. I uninstalled them, but they came back! I caught Microsoft Update installing them. Is this an anomaly, or has Microsoft started pushing .NET over Microsoft Update?

    • Dominique WhittakerMicrosoft employee Author

      Hi Mystery Man! Yes, I'll be here on Patch Tuesday :). Thank you for the feedback! It is not expected to have .NET offer if you don't already have a previous version of it installed on your PC. Can you please do the following so we can investigate?

      • Run http://aka.ms/vscollect.exe which will produce a vslogs.zip file in your %temp% directory
      • Open powershell and run the powershell cmdlet Get-WindowsUpdateLog...

      Read more
      • AlanW · Edited

        this comment has been deleted.

  • Olav Rønnestad Birkeland · Edited

    I've been unable to download the latest .NET desktop runtime for hours now:

    Fetched from here:

    Is there an outage?

    This URL seems to work though:

    Read more