.NET Core 2.1.4 is available for download and usage in your environment. This release includes .NET Core 2.1.4, ASP.NET Core 2.1.4 and .NET Core SDK 2.1.402. All fixes of note can be seen in the 2.1.4 commits list.
Visit the .NET Core blog to read more about this release. Your feedback is important and appreciated. We’ve created an issue at dotnet/core #1932 for your questions and comments.
| SDK Installer* | SDK Binaries* | Runtime Installer | Runtime Binaries | ASP.NET Core Runtime | |
|---|---|---|---|---|---|
| Windows | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 Hosting Bundle |
| macOS | x64 | x64 | x64 | x64 | x64 |
| Linux | See installations steps below | x64 | ARM | ARM64 | x64 Alpine | - | x64 | ARM | ARM64 | x64 Alpine | x64 | ARM32 | x64 Alpine |
| RHEL6 | - | x64 | - | x64 | - |
| Checksums | SDK | - | Runtime | - | - |
| Symbols | - | - | Runtime | Shared Framework | Setup | - | ASP.NET Core |
* Includes the .NET Core and ASP.NET Core runtimes
The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.
The following repos have been updated
See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.
No changes in support for September.
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability in .NET Core when System.IO.Pipelines improperly handles requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an application that is leveraging System.IO.Pipelines. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by providing specially crafted requests to the application.
The update addresses the vulnerability by correcting how System.IO.Pipelines handles requests.
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| System.IO.Pipelines | 4.5.0 | 4.5.1 |
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication. A remote unauthenticated attacker could exploit this vulnerability by providing a specially crafted web requests to the ASP.NET Core application.
The update addresses the vulnerability by correcting how ASP.NET Core handles parsing web requests.
| Package name | Vulnerable versions | Secure versions |
|---|---|---|
| Microsoft.AspNetCore.All | 2.1.0, 2.1.1, 2.1.2, 2.1.3 | 2.1.4 |
| Microsoft.AspNetCore.App | 2.1.0, 2.1.1, 2.1.2, 2.1.3 | 2.1.4 |
| System.IO.Pipelines | 4.5.0 | 4.5.1 |