Today, we are releasing the .NET Core May 2020 Update. These updates contain security and reliability fixes. See the individual release notes for details on updated packages.
NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.
- .NET Core 3.1.4 and .NET Core SDK ( Download | Release Notes )
- .NET Core 2.1.18 and .NET Core SDK ( Download | Release Notes )
Getting the Update
The latest .NET Core updates are available on the .NET Core download page. This update will be included in a future update of Visual Studio.
See the .NET Core release notes ( 2.1.18 | 3.1.4 ) for details on the release, including issues fixed and affected packages.
Docker Images
.NET Docker images have been updated for today’s release. The following repos have been updated.
- dotnet/core/sdk: .NET Core SDK
- dotnet/core/aspnet: ASP.NET Core Runtime
- dotnet/core/runtime: .NET Core Runtime
- dotnet/core/runtime-deps: .NET Core Runtime Dependencies
- dotnet/core/samples: .NET Core Samples
Note: You must pull updated .NET Core container images to get this update, with either docker pull
or docker build --pull
.
Lifecycle Updates
Ubuntu 20.04 has been added as a supported OS with this update of .NET Core.
.NET Core is now available natively in the Fedora 32 package archives. See the Fedora documentation for details.
Security
CVE-2020-1108: .NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability which exists when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.
CVE-2020-1161: ASP.NET Core Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability which exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
Where can we find details on the vulnerabilities? The MITRE reports simply say “This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.”