.NET Core July 2018 Update - July 10, 2018
.NET Core 2.1.2 is available for download and usage in your environment. This release includes .NET Core 2.1.2, ASP.NET Core 2.1.2 and .NET Core SDK 2.1.302.
Visit the .NET Core blog to read more about this release. Your feedback is important and appreciated. We've created an issue at dotnet/core #1765 for your questions and comments.
Downloads
| SDK Installer* | SDK Binaries* | Runtime Installer | Runtime Binaries | ASP.NET Core Runtime | |
|---|---|---|---|---|---|
| Windows | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 Hosting Bundle |
| macOS | x64 | x64 | x64 | x64 | x64 |
| Linux | See installations steps below | x64 | ARM | ARM64 | x64 Alpine | - | x64 | ARM | ARM64 | x64 Alpine | x64 | ARM32 | x64 Alpine |
| RHEL6 | - | x64 | - | x64 | - |
| Checksums | SDK | - | Runtime | - | - |
| Symbols | - | - | Runtime | Shared Framework | Setup | - | ASP.NET Core |
* Includes the .NET Core and ASP.NET Core runtimes
Docker Images
The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in "Staying up-to-date with .NET Container Images".
The following repos have been updated
Azure AppServices
- Deployment of .NET Core 2.1.2 to Azure App Services has been completed and is available in all regions.
.NET Core Lifecycle News
See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.
Supported Linux version changes
Fedora 26 and Ubuntu 17.10 will reach end of life in July. This is the last update of .NET Core which will support these versions.
Notable Changes in 2.1.2
CVE-2018-8356: .NET Core Security Feature Bypass Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a security feature bypass vulnerability that exists when .NET Core does not correctly validate certificates. An attacker who successfully exploited this vulnerability could present an expired certificate when challenged.
The update addresses the vulnerability by correcting how .NET Core applications handle certificate validation.
Package and Binary updates
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| System.Private.ServiceModel | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
| System.ServiceModel.Duplex | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
| System.ServiceModel.Http | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
| System.ServiceModel.NetTcp | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
| System.ServiceModel.Primitives | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
| System.ServiceModel.Security | 4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1 |
4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later |
CVE-2018-8171: ASP.NET Core Security Feature Bypass Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a security feature bypass in ASP.NET Core when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts.
The update addresses the vulnerability by correcting how ASP.NET Core validates the number of incorrect login attempts.
Package and Binary updates
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| Microsoft.AspNetCore.Identity | 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5 2.0.0, 2.0.1, 2.0.2, 2.0.3 2.1.0, 2.1.1 |
1.0.6 1.1.6 2.0.4 2.1.2 |
July 2018: ASP.NET Core Denial Of Service Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.0 and 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability in ASP.NET Core when a malformed request is terminated. An attacker who successfully exploited this vulnerability could cause a denial of service attack.
The update addresses the vulnerability by correcting how ASP.NET Core handles such requests.
Package and Binary updates
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| Microsoft.AspNetCore.Server.Kestrel.Core | 2.0.0, 2.0.1, 2.0.2, 2.0.3 2.1.0, 2.1.1 |
2.0.4 2.1.2 |
| Microsoft.AspNetCore.All | 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 2.0.6, 2.0.7, 2.0.8 2.1.0, 2.1.1 |
2.0.9 2.1.2 |
| Microsoft.AspNetCore.App | 2.1.0, 2.1.1 | 2.1.2 |