Today, we are releasing the .NET Core April 2019 Update. These updates contain security and reliability fixes. See the individual release notes for details on included fixes.
- .NET Core 2.2.4 and .NET Core SDK 2.2.106 ( Download | Release Notes )
- .NET Core 2.1.10 and .NET Core SDK 2.1.506 ( Download | Release Notes)
Security
Microsoft Security Advisory CVE-2019-0815: ASP.NET Core Denial of Service Vulnerability
A denial of service vulnerability exists in ASP.NET Core 2.2 where, if an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
The vulnerability affects any Microsoft ASP.NET Core 2.2 applications if it is hosted on an IIS server running AspNetCoreModuleV2 (ANCM) prior to and including 12.2.19024.2. The security update addresses the vulnerability by ensuring the IIS worker process does not crash in response to specially crafted requests.
Getting the Update
The latest .NET Core updates are available on the .NET Core download page.
See the .NET Core release notes ( 2.1.10 | 2.2.4 ) for details on the release including a issues fixed and affected packages.
Docker Images
.NET Docker images have been updated for today’s release. The following repos have been updated.
microsoft/dotnet microsoft/dotnet-samples microsoft/aspnetcore
Note: Look at the “Tags” view in each repository to see the updated Docker image tags.
Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.
Azure App Services deployment
Deployment of these updates Azure App Services has been scheduled and they estimate the deployment will be complete by Apr 23, 2019.
Hello, I am part of patch analyst who search details for your latest released of patch version. I would like to seek your confirmation regarding versions .Net SDK Core 2.1.506 and .Net SDK Core 2.1.603 if we have vulnerability or CVE for those patch versions. Please confirm also if that patch version is a security or non security patch. Based on your released notes .Net Core SDK 2.1.10 release carries both security and non-security fixes....
thanks for the update.
https://devblogs.microsoft.com/dotnet/author/alexthomson/