Today, we are releasing the .NET Core January 2020 Update. These updates also contain security and reliability fixes. See the individual release notes for details on updated packages.
NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.
- .NET Core 3.1.1 and .NET Core SDK ( Download | Release Notes )
- .NET Core 3.0.2 and .NET Core SDK ( Download | Release Notes )
- .NET Core 2.1.15 and .NET Core SDK ( Download | Release Notes )
Getting the Update
The latest .NET Core updates are available on the .NET Core download page. This update will be included in a future update of Visual Studio.
See the .NET Core release notes ( 2.1.15 | 3.0.2 | 3.1.1 ) for details on the release, including issues fixed and affected packages.
Docker Images
.NET Docker images have been updated for today’s release. The following repos have been updated.
- dotnet/core/sdk: .NET Core SDK
- dotnet/core/aspnet: ASP.NET Core Runtime
- dotnet/core/runtime: .NET Core Runtime
- dotnet/core/runtime-deps: .NET Core Runtime Dependencies
- dotnet/core/samples: .NET Core Samples
Note: You must pull updated .NET Core container images to get this update, with either docker pull or docker build –pull.
Security
CVE-2020-0602: ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
CVE-2020-0603: ASP.NET Core Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.
CVE-2020-0605: .NET Core Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.
CVE-2020-0606: .NET Core Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.
Hi,
I’m new to .net core. I have some questions regarding the update of .net core :
1) Are there any KB updates for .net core ( security or feature ) ?
2) If not, what is the reason of no KB update ?
.NET Core 3.0 implements .NET Standard 2.1. However, the default dotnet new classlib template generates a project that still targets .NET Standard 2.0. To target .NET Standard
https://www.channel-member.com/channellist.aspx
Coming from many years of making .Net Framework apps, I’m now using Core 3.1, and it bugs me to see country folders (es, fr, etc.) in the bin folder, and the “Runtimes” folder with Unix, etc. that I don’t need. I’m using Visual Studio 16.x to make ASP.Net Core apps.
Can we prevent these folders from getting created? A post-build clean-up event would work, but I want to prevent it.
Add this to your csproj or publish profile:
<SatelliteResourceLanguages>en-US</SatelliteResourceLanguages>
It should remove most, if not all, of the other language folders.
.NET Core 3.1 is an LTS (Long Term Support) release.
If we upgrade to 3.1.1 do we lose the Long Term Support?
I am basically asking if 3.1.1 going to go out of support before 3.1?
As per the official policy .NET Core 3.1 and its subsequent patches fall under long term support. Upgrading to 3.1.1 will not result in losing LTS.
Do these vulnerabilities also exist in previous versions of .NET Core?
If you are using a supported version and it’s not listed in the affected versions then the vulnerability is not present in those versions.
If by previous versions you mean ones that are out of support, then I’m afraid we don’t answer any questions about them, security or otherwise, due to the EOL status.
You can read the support policy at https://dotnet.microsoft.com/platform/support/policy/dotnet-core