core

.NET Core July 2018 Update - July 10, 2018

.NET Core 2.1.2 is available for download and usage in your environment. This release includes .NET Core 2.1.2, ASP.NET Core 2.1.2 and .NET Core SDK 2.1.302.

• Downloads
• Changes in this release
• Known Issues
• Lifecycle

Visit the .NET Core blog to read more about this release. Your feedback is important and appreciated. We’ve created an issue at dotnet/core #1765 for your questions and comments.

Downloads

	SDK Installer*	SDK Binaries*	Runtime Installer	Runtime Binaries	ASP.NET Core Runtime
Windows	x86 | x64	x86 | x64	x86 | x64	x86 | x64	x86 | x64 Hosting Bundle
macOS	x64	x64	x64	x64	x64
Linux	See installations steps below	x64 | ARM | ARM64 | x64 Alpine	-	x64 | ARM | ARM64 | x64 Alpine	x64 | ARM32 | x64 Alpine
RHEL6	-	x64	-	x64	-
Checksums	SDK	-	Runtime	-	-
Symbols	-	-	Runtime | Shared Framework | Setup	-	ASP.NET Core

* Includes the .NET Core and ASP.NET Core runtimes

Docker Images

The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.

The following repos have been updated

• microsoft/dotnet
• microsoft/dotnet-samples
• microsoft/aspnetcore
• microsoft/aspnetcore-build

Azure AppServices

• Deployment of .NET Core 2.1.2 to Azure App Services has been completed and is available in all regions.

.NET Core Lifecycle News

See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.

Supported Linux version changes

Fedora 26 and Ubuntu 17.10 will reach end of life in July. This is the last update of .NET Core which will support these versions.

Notable Changes in 2.1.2

CVE-2018-8356: .NET Core Security Feature Bypass Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a security feature bypass vulnerability that exists when .NET Core does not correctly validate certificates. An attacker who successfully exploited this vulnerability could present an expired certificate when challenged.

The update addresses the vulnerability by correcting how .NET Core applications handle certificate validation.

Package and Binary updates

Package name	Vulnerable versions	Secure versions
System.Private.ServiceModel	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later
System.ServiceModel.Duplex	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later
System.ServiceModel.Http	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later
System.ServiceModel.NetTcp	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later
System.ServiceModel.Primitives	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later
System.ServiceModel.Security	4.0.0, 4.1.0, 4.1.1 4.3.0, 4.3.1 4.4.0, 4.4.1, 4.4.2 4.5.0, 4.5.1	4.1.2 or later 4.3.2 or later 4.4.3 or later 4.5.2 or later

CVE-2018-8171: ASP.NET Core Security Feature Bypass Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a security feature bypass in ASP.NET Core when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts.

The update addresses the vulnerability by correcting how ASP.NET Core validates the number of incorrect login attempts.

Package and Binary updates

Package name	Vulnerable versions	Secure versions
Microsoft.AspNetCore.Identity	1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5 2.0.0, 2.0.1, 2.0.2, 2.0.3 2.1.0, 2.1.1	1.0.6 1.1.6 2.0.4 2.1.2

July 2018: ASP.NET Core Denial Of Service Vulnerability

Executive summary

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.0 and 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability in ASP.NET Core when a malformed request is terminated. An attacker who successfully exploited this vulnerability could cause a denial of service attack.

The update addresses the vulnerability by correcting how ASP.NET Core handles such requests.

Package and Binary updates

Package name	Vulnerable versions	Secure versions
Microsoft.AspNetCore.Server.Kestrel.Core	2.0.0, 2.0.1, 2.0.2, 2.0.3 2.1.0, 2.1.1	2.0.4 2.1.2
Microsoft.AspNetCore.All	2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5 2.0.6, 2.0.7, 2.0.8 2.1.0, 2.1.1	2.0.9 2.1.2
Microsoft.AspNetCore.App	2.1.0, 2.1.1	2.1.2

This site is open source. Improve this page.