.NET Core January 2020 Updates – 2.1.15, 3.0.2, and 3.1.1

Rahul Bhandari (MSFT)

Rahul

Today, we are releasing the .NET Core January 2020 Update. These updates also contain security and reliability fixes. See the individual release notes for details on updated packages.

NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.

Getting the Update

The latest .NET Core updates are available on the .NET Core download page. This update will be included in a future update of Visual Studio.

See the .NET Core release notes ( 2.1.15 | 3.0.2 | 3.1.1 ) for details on the release, including issues fixed and affected packages.

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.

Note: You must pull updated .NET Core container images to get this update, with either docker pull or docker build –pull.

Security

CVE-2020-0602: ASP.NET Core Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.

CVE-2020-0603: ASP.NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application. The update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.

CVE-2020-0605: .NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.

CVE-2020-0606: .NET Core Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.

8 comments

Comments are closed. Login to edit/delete your existing comments

  • Avatar
    Filip Vestergaard

    Do these vulnerabilities also exist in previous versions of .NET Core?

    • Barry Dorrans
      Barry DorransMicrosoft employee

      If you are using a supported version and it’s not listed in the affected versions then the vulnerability is not present in those versions.

      If by previous versions you mean ones that are out of support, then I’m afraid we don’t answer any questions about them, security or otherwise, due to the EOL status.

      You can read the support policy at https://dotnet.microsoft.com/platform/support/policy/dotnet-core

  • Stephen Schaff
    Stephen Schaff

    .NET Core 3.1 is an LTS (Long Term Support) release.

    If we upgrade to 3.1.1 do we lose the Long Term Support?

    I am basically asking if 3.1.1 going to go out of support before 3.1?

  • Avatar
    Dean Jackson

    Coming from many years of making .Net Framework apps, I’m now using Core 3.1, and it bugs me to see country folders (es, fr, etc.) in the bin folder, and the “Runtimes” folder with Unix, etc. that I don’t need. I’m using Visual Studio 16.x to make ASP.Net Core apps.

    Can we prevent these folders from getting created? A post-build clean-up event would work, but I want to prevent it.

    • Avatar
      Eaton

      Add this to your csproj or publish profile:

      <SatelliteResourceLanguages>en-US</SatelliteResourceLanguages>

      It should remove most, if not all, of the other language folders.

  • Avatar
    wttest 061

    Hi,

    I’m new to .net core. I have some questions regarding the update of .net core :

    1) Are there any KB updates for .net core ( security or feature ) ?
    2) If not, what is the reason of no KB update ?