core

.NET Core 2.1.13 Update - September 10, 2019

.NET Core 2.1.13 is available for download and usage in your environment. This release includes .NET Core 2.1.13, ASP.NET Core 2.1.13 and the .NET Core SDK.

The September Update for .NET Core 2.1 includes multiple SDK builds. If you are a Visual Studio 2019, Visual Studio 2017 or Visual Studio for Mac user, there are MSBuild version requirements that are satisfied by specific, matching .NET Core SDK versions. See the table below to select the correct download. Otherwise, the best version to download is .NET Core SDK 2.1.802.

OS	Development Environment	.NET Core SDK
Any supported	Command line and/or Visual Studio Code	2.1.802
Windows	Visual Studio 2019 version 16.2	2.1.802
Windows	Visual Studio 2019 version 16.0	2.1.606
Windows	Visual Studio 2017	2.1.509
MacOS	Visual Studio for Mac	Visual Studio for Mac .NET Core Support

• Blog Post
• Downloads
• Changes in this release
• .NET Core Lifecycle News
• Known Issues

We’ve created an issue at dotnet/core #3345 for your questions and comments.

Downloads

	SDK Installer1	SDK Binaries1	Runtime Installer	Runtime Binaries	ASP.NET Core Runtime
Windows	x86 | x64	x86 | x64	x86 | x64	x86 | x64 | ARM	x86 | x64 | Hosting Bundle2
macOS	x64	x64	x64	x64	x641
Linux	See installations steps below	x64 | ARM | ARM64 | x64 Alpine	-	x64 | ARM | ARM64 | x64 Alpine	x641 | ARM1 | x64 Alpine1
RHEL6	-	x64	-	x64	-
Checksums	SDK	-	Runtime	-	-

1. Includes the .NET Core and ASP.NET Core Runtimes
2. For hosting stand-alone apps on Windows Servers. Includes the ASP.NET Core Module for IIS and can be installed separately on servers without installing .NET Core runtime.

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.

The following repos have been updated

• microsoft/dotnet
• microsoft/dotnet-samples

The images are expected to be available later today.

Azure AppServices

• .NET Core 2.1.13 is being deployed to Azure App Services and the deployment is expected to complete later in September 2019.

.NET Core Lifecycle News

See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.

Changes in 2.1.13

.NET Core 2.1.13 release carries both security and non-security fixes.

CVE-2019-1302: ASP.NET Core Elevation Of Privilege Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of an elevation of privilege vulnerability exists when a ASP.NET Core web application, created using vulnerable project templates, fails to properly sanitize web requests. An attacker who successfully exploited this vulnerability could perform content injection attacks and run script in the security context of the logged-on user.

To exploit the vulnerability, an attacker could send a specially crafted email, containing a malicious link, to a user. Alternatively, an attacker could use a chat client to social engineer a user into clicking the malicious link. However, in all cases to exploit this vulnerability a user must click a maliciously crafted link from an attacker.

The update addresses the vulnerability by correcting how the .NET Core web application handles content encoding and updates the application templates to depend on the corrected code libraries.

Affected Package and Binary updates

Package name	Vulnerable versions	Secure versions
Microsoft.AspNetCore.SpaServices	2.1.0-2.1.2 2.2.0	2.1.2 2.2.1

CVE-2019-1301: Denial of Service Vulnerability in .NET Core

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability when .NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET Core web application. The vulnerability can be exploited remotely, without authentication.

The update addresses the vulnerability by correcting how the .NET Core web application handles web requests.

Affected Package and Binary updates

Package name	Vulnerable versions	Secure versions
System.Net.Sockets	4.3.0	4.3.1
Microsoft.NetCore.App	2.1.0 - 2.1.12 2.2.0 - 2.2.6	2.1.13 2.2.7

CVE-2018-8269: Denial of Service Vulnerability in OData

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service attack in the Microsoft OData library used in ASP.NET could cause a denial of service against an OData web application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the OData application.

The update addresses the vulnerability by updating the version of OData ASP.NET Core uses.

Affected Package and Binary updates

Package name	Vulnerable versions	Secure versions
Microsoft.AspNetCore.DataProtection.AzureStorage	2.1.0 - 2.1.12 2.2.0 - 2.2.6	2.1.13 2.2.7
Microsoft.Data.OData.dll	< 5.8.4	5.8.5
Microsoft.AspNetCore.All	2.1.0 - 2.1.12 2.2.0 - 2.2.6	2.1.13 2.2.7

Additional fixes in this release

• CoreCLR
• CoreFX
• Core-Setup
• ASP.NETCore

Packages updated in this release:

Package name	Version
microsoft.aspnetcore.all.2.1.13.nupkg
microsoft.aspnetcore.app.2.1.13.nupkg
microsoft.aspnetcore.dataprotection.azurestorage.2.1.13.nupkg
microsoft.aspnetcore.spaservices.2.1.13.nupkg
microsoft.dotnet.web.client.itemtemplates.2.1.13.nupkg
microsoft.dotnet.web.itemtemplates.2.1.13.nupkg
microsoft.dotnet.web.projecttemplates.2.1.2.1.13.nupkg
microsoft.dotnet.web.spa.projecttemplates.2.1.2.1.13.nupkg
microsoft.netcore.platforms	2.1.13
microsoft.netcore.app	2.1.13
microsoft.netcore.dotnetapphost	2.1.13
microsoft.netcore.dotnethost	2.1.13
microsoft.netcore.dotnethostpolicy	2.1.13
microsoft.netcore.dotnethostresolver	2.1.13
runtime.linux-arm.microsoft.netcore.app	2.1.13
runtime.linux-arm.microsoft.netcore.dotnetapphost	2.1.13
runtime.linux-arm.microsoft.netcore.dotnethost	2.1.13
runtime.linux-arm.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.linux-arm.microsoft.netcore.dotnethostresolver	2.1.13
runtime.linux-arm64.microsoft.netcore.app	2.1.13
runtime.linux-arm64.microsoft.netcore.dotnetapphost	2.1.13
runtime.linux-arm64.microsoft.netcore.dotnethost	2.1.13
runtime.linux-arm64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.linux-arm64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.linux-musl-x64.microsoft.netcore.app	2.1.13
runtime.linux-musl-x64.microsoft.netcore.dotnetapphost	2.1.13
runtime.linux-musl-x64.microsoft.netcore.dotnethost	2.1.13
runtime.linux-musl-x64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.linux-musl-x64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.linux-x64.microsoft.netcore.app	2.1.13
runtime.linux-x64.microsoft.netcore.dotnetapphost	2.1.13
runtime.linux-x64.microsoft.netcore.dotnethost	2.1.13
runtime.linux-x64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.linux-x64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.osx-x64.microsoft.netcore.app	2.1.13
runtime.osx-x64.microsoft.netcore.dotnetapphost	2.1.13
runtime.osx-x64.microsoft.netcore.dotnethost	2.1.13
runtime.osx-x64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.osx-x64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.rhel.6-x64.microsoft.netcore.app	2.1.13
runtime.rhel.6-x64.microsoft.netcore.dotnetapphost	2.1.13
runtime.rhel.6-x64.microsoft.netcore.dotnethost	2.1.13
runtime.rhel.6-x64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.rhel.6-x64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.win-arm.microsoft.netcore.app	2.1.13
runtime.win-arm.microsoft.netcore.dotnetapphost	2.1.13
runtime.win-arm.microsoft.netcore.dotnethost	2.1.13
runtime.win-arm.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.win-arm.microsoft.netcore.dotnethostresolver	2.1.13
runtime.win-arm64.microsoft.netcore.app	2.1.13
runtime.win-arm64.microsoft.netcore.dotnetapphost	2.1.13
runtime.win-arm64.microsoft.netcore.dotnethost	2.1.13
runtime.win-arm64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.win-arm64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.win-x64.microsoft.netcore.app	2.1.13
runtime.win-x64.microsoft.netcore.dotnetapphost	2.1.13
runtime.win-x64.microsoft.netcore.dotnethost	2.1.13
runtime.win-x64.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.win-x64.microsoft.netcore.dotnethostresolver	2.1.13
runtime.win-x86.microsoft.netcore.app	2.1.13
runtime.win-x86.microsoft.netcore.dotnetapphost	2.1.13
runtime.win-x86.microsoft.netcore.dotnethost	2.1.13
runtime.win-x86.microsoft.netcore.dotnethostpolicy	2.1.13
runtime.win-x86.microsoft.netcore.dotnethostresolver	2.1.13

This site is open source. Improve this page.