10/24/2023: this post was revised to update the October 10, 2023 security releases. Today’s .NET 7.0.13 and .NET 6.0.24 releases contain the security fixes from our previous September release that were missing in the October release.
You can download 7.0.13 and 6.0.24 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 7.0.13 | 6.0.24
- Release notes: 7.0.13 | 6.0.24
- Container images
- Linux packages: 7.0.13 | 6.0.24
- Release feedback/issue
- Known issues: 7.0 | 6.0
Security
September 12, 2023 Security Updates
Note: The vulnerabilities CVE-2023-36792, CVE-2023-36793, CVE-2023-36792, CVE-2023-36796 are all resolved by a single patch. Get this update to resolve all of them.
CVE-2023-36792 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36793 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36794 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36796 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36799 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET where reading a maliciously crafted X.509 certificate may result in Denial of Service. This issue only affects Linux systems.
October 10, 2023 Security Updates
CVE-2023-44487 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 RC1, .NET 7.0 ,and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability. A patch for this vulnerability (nicknamed “Rapid Reset”) is being released in coordination with other industry partners.
A vulnerability exists in the ASP.NET Core Kestrel web server where a malicious client may flood the server with specially crafted HTTP/2 requests, causing denial of service.
CVE-2023-38171 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 RC1. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A null pointer vulnerability exists in MsQuic.dll which may lead to Denial of Service. This issue only affects Windows systems.
CVE-2023-36435 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 RC1. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A memory leak vulnerability exists in MsQuic.dll which may lead to Denial of Service. This issue only affects Windows systems.
Visual Studio
See release notes for Visual Studio compatibility for .NET 7.0 and .NET 6.0.
Regarding the vulnerability CVE-2023-44487, do we know if applications using .NET Framework are impacted and more specifically, if they are deployed and hosted on IIS?
There is no specific .NET Framework update required to mitigate this vulnerability. However, non-.NET Framework components like IIS and HTTP.SYS require their own patch against this attack. These patches are part of the cumulative Windows OS updates that were released on Oct. 10.
Thanks Rahul for the confirmation! Really appreciated!
The release is incomplete. Where is
https://www.nuget.org/packages/Microsoft.NET.Runtime.Emscripten.3.1.12.Node.win-x64.Msi.x64/7.0.12 ?
I cannot install wasm-tools-net7