We have released a second update this month to address a regression in our earlier release (June 13th). The new versions are .NET 6.0.19 and .NET 7.0.8. The regression is functional and doesn’t require action on your part unless you are affected by the issue.<\/p>\n
The NET 6.0.18 and 7.0.7 updates update added constraints to PFX certificate loading to fix a DoS vulnerability (CVE-2023-29331). We created a specific exception message with a link to a known issue KB https:\/\/support.microsoft.com\/kb\/5025823 to describe these behavioral changes.<\/p>\n
We learned from customer reports during the week of June 13, 2023 that .NET 6.0.18 and 7.0.7 may fail to import PKCS12 blobs whose private keys are protected by a null password. Callers may non-deterministically observe a Also documented at .NET June OOB Updates<\/a>.<\/p>\n You can download 7.0.8<\/a> and 6.0.19<\/a> versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.<\/p>\n There is no need to install these updates unless you are affected by the functional regression listed at KB5028608<\/a>. If you are not affected by the functional regression described above, you can safely remain on 6.0.18 \/ 7.0.7.<\/p>\n No. These updates contain no new security fixes beyond what already shipped in 6.0.18 \/ 7.0.7. As long as you are running at least 6.0.18 or 7.0.7, you are protected with all of the latest available security fixes.<\/p>\n Today, we are releasing the .NET June 2023 Updates<\/a>. These updates contain security and non-security improvements. Your app may be vulnerable<\/a> if you have not deployed a recent .NET update.<\/p>\n You can download 7.0.7<\/a> and 6.0.18<\/a> versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.<\/p>\n You can now install .NET updates using the Windows Package Manager CLI (winget):<\/p>\n See Install with Windows Package Manager (winget)<\/a> for more information.<\/p>\n CVE-2023-24895 – .NET Remote Code Execution Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in how WPF for .NET handles certain XAML Frame elements which may result in remote code execution.<\/p>\n CVE-2023-24897 – .NET Remote Code Execution Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.<\/p>\n CVE-2023-24936 – .NET Elevation of Privilege Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in .NET when deserializing a DataSet or DataTable from XML which may result in elevation of privileges.<\/p>\n CVE-2023-29331 – .NET Denial of Service Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service.<\/p>\n CVE-2023-29337 – NuGet Client Remote Code Execution Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in nuget where a potential race condition that can lead to a symlink attack<\/p>\n CVE-2023-32032 – .NET Denial of Service Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in .NET using extracting the contents of a Tar file which may result in elevation of privileges.<\/p>\n CVE-2023-33126 – .NET Denial of Service Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in .NET during crash and stack trace scenarios that could lead to loading arbitrary binaries.<\/p>\n CVE-2023-33128 – .NET Denial of Service Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in .NET source generator for P\/Invokes that can lead to generated code freeing uninitialized memory and crashing.<\/p>\n CVE-2023-33135 – .NET Denial of Service Vulnerability<\/a><\/p>\n Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.<\/p>\n A vulnerability exists in the .NET SDK during tool restore which can lead to an elevation of privilege.<\/p>\n See release notes for Visual Studio compatibility for .NET 7.0<\/a> and .NET 6.0<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":" Check out latest June 2023 updates for .NET 7.0 and .NET 6.0<\/p>\n","protected":false},"author":7455,"featured_media":46266,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[685,7600],"tags":[],"class_list":["post-46120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dotnet","category-maintenance-and-updates"],"acf":[],"blog_post_summary":" Check out latest June 2023 updates for .NET 7.0 and .NET 6.0<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/46120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/7455"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=46120"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/46120\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/46266"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=46120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=46120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=46120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}CryptographicException<\/code> being thrown by the X509Certificate<\/code> constructor on those runtimes. This regression was unintentional and a fix is being offered for affected applications.<\/p>\nDownload Update<\/h3>\n
\n
Do I need to install 6.0.19 \/ 7.0.8?<\/h3>\n
Is 6.0.19 \/ 7.0.8 a security update?<\/h3>\n
\n\n
Windows Package Manager CLI (winget)<\/h3>\n
\n
winget install dotnet-runtime-7<\/code><\/li>\nwinget install dotnet-sdk-7<\/code><\/li>\nwinget upgrade<\/code><\/li>\n<\/ul>\nImprovements<\/h2>\n
\n
Security<\/h2>\n
Visual Studio<\/h2>\n