March 12th, 2019

.NET Core March 2019 Updates – 1.0.15, 1.1.12, 2.1.9 and 2.2.3

Lee Coward
.NET Program Manager

Today, we are releasing the .NET Core March 2019 Update. These updates contain security and reliability fixes. See the individual release notes for details on included reliability fixes.

Security

Microsoft Security Advisory CVE-2019-0757: .NET Core NuGet Tampering Vulnerability

A tampering vulnerability exists in NuGet software when executed in a Linux or Mac environment. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The exploitation of the vulnerability requires that an attacker can login as any other user on that machine. At that point, the attacker will be able to replace or add to files that were created by a NuGet restore operation in the current users account.

The security update addresses the vulnerability by correcting how NuGet restore creates file permissions for all files extracted to the client machine.

Getting the Update

The latest .NET Core updates are available on the .NET Core download page. This update is also included in the Visual Studio 15.0.22 (.NET Core 1.0 and 1.1) and 15.9.9 (.NET Core 1.0, 1.1 and 2.1) updates, which is also releasing today. Choose Check for Updates in the Help menu.

See the .NET Core release notes ( 1.0.15 | 1.1.12 | 2.1.9 | 2.2.3 ) for details on the release including issues fixed and affected packages.

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.

microsoft/dotnet microsoft/dotnet-samples microsoft/aspnetcore

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.

Azure App Services deployment

Deployment of these updates Azure App Services has been scheduled and they estimate the deployment will be complete by March 26, 2019.

Category
.NET

Author

Lee Coward
.NET Program Manager

Lee Coward is a Program Manager on the .NET team. He works on making .NET releases efficient for the team, and easy to acquire for the community.

0 comments

Discussion are closed.