Today, we are releasing the .NET September 2023 Updates. These updates contain security and non-security improvements. Your app may be vulnerable if you have not deployed a recent .NET update.
You can download 7.0.11 and 6.0.22 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.
- Installers and binaries: 7.0.11 | 6.0.22
- Release notes: 7.0.11 | 6.0.22
- Container images
- Linux packages: 7.0.11 | 6.0.22
- Release feedback/issue
- Known issues: 7.0 | 6.0
Windows Package Manager CLI (winget)
You can now install .NET updates using the Windows Package Manager CLI (winget):
- To install the .NET 7 runtime:
winget install dotnet-runtime-7
- To install the .NET 7 SDK:
winget install dotnet-sdk-7
- To update an existing installation:
winget upgrade
See Install with Windows Package Manager (winget) for more information.
Improvements
Security
Note: The vulnerabilities CVE-2023-36792, CVE-2023-36793, CVE-2023-36792, CVE-2023-36796 are all resolved by a single patch. Get this update to resolve all of them.
CVE-2023-36792 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36793 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36794 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36796 – .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36799 – .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET where reading a maliciously crafted X.509 certificate may result in Denial of Service. This issue only affects Linux systems.
Visual Studio
See release notes for Visual Studio compatibility for .NET 7.0 and .NET 6.0.
https://packages.microsoft.com/sles/15/prod/Packages/d/dotnet-runtime-deps-7.0-7.0.11-1.x86_64.rpm is missing 🙁
Glad to see MS fixing these CVEs.
Thanks