Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Issues addressed by this update are summarized in the fixes section below. Details can be found in corresponding announcements in the .NET Core and ASP.NET Core repos.
.NET Core 2.0.6 and SDK 2.1.101 are available for download and usage in your environment.
The .NET Core SDK 2.1.101 includes .NET Core 2.0.6 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 2.1.101, the following command will show that you're running version 2.1.101
of the tools.
dotnet --version
Your feedback is important and appreciated. We've created an issue at dotnet/core #1341 for your questions and comments.
The .NET Core Docker images have been updated for this release. Look for the 2.0.6 images.
Deployment of this update to Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carefully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over a few days.
Windows Server Hosting bundle (DotNetCore.2.0.6-WindowsHosting.exe
) does not contain the updated AspNetCore RuntimePackageStore
Issue DotNetCore.2.0.6-WindowsHosting.exe
incorrectly contains the 2.0.5 AspNetCore RuntimePackageStore rather than 2.0.6.
Resolution: If you have already installed the broken installer, download and run the new installer. You can verify the correct version is installed by checking this:
Open the Control Panel and navigate to “Uninstall a program”, or on Windows 10 open Windows settings and navigate to “Apps”.
Find the entry for Microsoft .NET Core 2.0.6 – Windows Server Hosting
. This entry should show that version 2.0.40314.10011
is installed.
Issue: Running the package manager update
command on Linux systems where .NET Core has been previously installed may offer an update for dotnet-host.x86_64
. If the update is allowed to proceed, .NET Core could be in a broken state as only the dotnet host is updated.
Resolution: To install the update, either the Runtime or SDK must be explicitly installed. e.g. sudo [apt-get, yum, dnf, zypper] install dotnet-runtime-2.0.6
, if you only need the runtime or sudo [apt-get, yum, dnf, zypper] dotnet-sdk-2.1.101
, to install both the SDK and Runtime.
We are working to improve our Linux packages to enable correct package manager update behavior. This work is being tracked in the following issues:
The following packages and binaries are updated by the March 2018 update:
- System.Private.Corelib
- Microsoft.NETCore.Runtime.CoreCLR
- Microsoft.NETCore.Jit
Microsoft is aware of a security vulnerability in the public versions of .NET Core where a malicious file or web request could cause a denial of service (DoS) attack. See the following announcement for details.
[7ff205b]
Fix for SqlConnection failure when having multiple concurrent users (#26247)[4d66ecf]
Performance issue fix for manged sni (#26244)[25b6570]
Fix XmlSerializer packaging break (#25799)[7751d09]
Enable ECDH cipher suites as preferred cipher for key agreement.[804c756]
Ensure HttpListener request buffer is aligned as required by the host processor (#25763)[97ce4b6]
Revert "Minor change to avoid an allocation in Uri" (#25643)[0933a23]
Port 2 fixes for NamedPipeClientStream (#26118)[dcdf47c]
fix sgen if/else issue (#25562)[e2f8be3]
Support Reference Assemblies in SGEN. (#24491)[0a129de]
Ignore the type if it contains any property that only have private setter. (#24611)[3e437ec]
Make the public class be internal in sgen. (#24345)[cac0f6a]
Add more parameters support in SGEN. (#24322)[8d2753e]
Remove the line that will copy the generated serializer to the pack. (#24199)[0e29bf8]
Add the target to copy the serializer to publish folder. (#24096)[e82739f]
Add warning by default in SGEN (#24054)[31a21dd]
Add help method for SGEN. (#23966)[c2704a6]
Add /casesensitive parameter so the command works on linux when the path contains capital letter (#23947)[d980557]
Allow copy-local ReferenceFromRuntime[d675870]
Improve Sgen package for better customer experience (#23348)[97076d8]
Fix the sgen issue when use NaN as the default value. (#23366)[0a73abd]
WarningsAsErrors and DisabledWarnings are not boolean. (#23335)[fe96f3b]
Use stream as the input of GenerateSerializer method (#19862)
[381e6b1]
Fix SIGSEGV in EventPipe on Shutdown (#14123) (#15765)[b5c6996]
Port COMException fix from master (#15735)[4efa38d]
Make EventArgs base class serializable (#15541) (#15686)[7621d45]
Fix source/line info on Windows for Windows PDBs. (#14696) (#15255)[872b9d9]
JIT: port fix to defer removing statements during opt CSE to release/2.0.0 (#15360)[216aa4a]
Fix sos/dac long named dlls (#15583)