.NET Core September 2019 Updates – 2.1.13 and 2.2.7

Lee Coward

Lee

Today, we are releasing the .NET Core September 2019 Update. These updates contain security and reliability fixes. See the individual release notes for details on updated packages.

NOTE: If you are a Visual Studio user, there are MSBuild version requirements so use only the .NET Core SDK supported for each Visual Studio version. Information needed to make this choice will be seen on the download page. If you use other development environments, we recommend using the latest SDK release.

Security

CVE-2019-1302: ASP.NET Core Elevation Of Privilege Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of an elevation of privilege vulnerability exists when an ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests. An attacker who successfully exploited this vulnerability could perform content injection attacks and run a script in the security context of the logged-on user.

To exploit the vulnerability, an attacker could send a specially crafted email, containing a malicious link, to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. However, in all cases to exploit this vulnerability, a user must click a maliciously crafted link from an attacker.

The update addresses the vulnerability by correcting how the .NET Core web application handles content encoding and updates the application templates to depend on the corrected code libraries.

CVE-2019-1301: Denial of Service Vulnerability in .NET Core

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication.

The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

CVE-2018-8269: Denial of Service Vulnerability in OData

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service attack in the Microsoft OData library used in ASP.NET could cause a denial of service against an OData web application. An unauthenticated, remote attacker could exploit this vulnerability by issuing specially crafted requests to the OData application.

The update addresses the vulnerability by updating the version of OData ASP.NET Core uses.

Getting the Update

The latest .NET Core updates are available on the .NET Core download page. This update is also included in the Visual Studio 15.9.16, 16.0.8 and 16.2.5 which are also releasing today. Choose Check for Updates in the Help menu.

See the .NET Core release notes ( 2.1.13 | 2.2.7 ) for details on the release, including issues fixed and affected packages.

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.

microsoft/dotnet
microsoft/dotnet-samples
microsoft/aspnetcore

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: You must re-pull base images to get updates. The Docker client does not pull updates automatically.

Azure App Services deployment

Deployment of these updates Azure App Services has been scheduled, and they estimate completion by September 23, 2019.

Lee Coward
Lee Coward

Follow Lee   

2 comments

  • Avatar
    Adam Pluciński

    SDK 2.2.402

    in left pane there is
    v2.2.7
    Current  Security patch 
    Released 2019-09-10
    Release notes
    Supports C# 7.3
    Supports F# 4.6
    Supports Visual Studio 2017 (v16.2)
    Included in 16.2.5
    ASP.NET Core IIS Module 12.2.19169.6

    Shouldn’t be Visual Studio 2019 instead of 2017?

  • Avatar
    Mike Kennedy

    I tried to Patch 2.1.5 to 2.1.13 but now I have 2 Version.
    My question is is there a patch for 2.1.5 or do I need to Uninstall 2.1.5 and then install 2.1.13.

    Please Help
    Thanks

Leave a comment