.NET Core March 2019 Updates – 1.0.15, 1.1.12, 2.1.9 and 2.2.3
Today, we are releasing the .NET Core March 2019 Update. These updates contain security and reliability fixes. See the individual release notes for details on included reliability fixes.
- .NET Core 2.2.3 and .NET Core SDK 2.2.105 ( Download | Release Notes )
- .NET Core 2.1.9 and .NET Core SDK 2.1.505 ( Download | Release Notes )
- .NET Core 1.1.12 and .NET Core SDK 1.1.13 ( Download | Release Notes )
- .NET Core 1.0.15 and .NET Core SDK 1.1.13 ( Download | Release Notes )
A tampering vulnerability exists in NuGet software when executed in a Linux or Mac environment. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that an attacker can login as any other user on that machine. At that point, the attacker will be able to replace or add to files that were created by a NuGet restore operation in the current users account.
The security update addresses the vulnerability by correcting how NuGet restore creates file permissions for all files extracted to the client machine.
Getting the Update
The latest .NET Core updates are available on the .NET Core download page. This update is also included in the Visual Studio 15.0.22 (.NET Core 1.0 and 1.1) and 15.9.9 (.NET Core 1.0, 1.1 and 2.1) updates, which is also releasing today. Choose Check for Updates in the Help menu.
.NET Docker images have been updated for today’s release. The following repos have been updated.
Note: Look at the “Tags” view in each repository to see the updated Docker image tags.
Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.
Azure App Services deployment
Deployment of these updates Azure App Services has been scheduled and they estimate the deployment will be complete by March 26, 2019.