.NET Core 2.1.7 is available for download and usage in your environment. This release includes .NET Core 2.1.7, ASP.NET Core 2.1.7 and .NET Core SDK 2.1.503.
We’ve created an issue at dotnet/core #2210 for your questions and comments.
SDK Installer1 | SDK Binaries1 | Runtime Installer | Runtime Binaries | ASP.NET Core Runtime | |
---|---|---|---|---|---|
Windows | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 Hosting Bundle2 |
macOS | x64 | x64 | x64 | x64 | x641 |
Linux | See installations steps below | x64 | ARM | ARM64 | x64 Alpine | - | x64 | ARM | ARM64 | x64 Alpine] | x641 | ARM321 | x64 Alpine1 |
RHEL6 | - | x64 | - | x64 | - |
Checksums | SDK | - | Runtime | - | - |
Symbols | CLI | SDK | - | Runtime | Shared Framework | Setup | - | ASP.NET Core |
The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.
The following repos have been updated
See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.
The following OS version has changed support status since our last release:
.NET Core 2.1.7 release carries both security and non-security fixes. In addition to the listed vulnerabilities (see CVEs below) support for new Japanese calendar eras has been added and there are some Cryptography fixes.
All fixes of note can be seen in the 2.1.7 commits list.
The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
Affected Package and Binary updates
Package name | Vulnerable versions | Secure versions |
---|---|---|
Microsoft.NETCore.App (System.Net.Http) | 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.1.7 |
This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
Affected Package and Binary updates
Package name | Vulnerable versions | Secure versions |
---|---|---|
AspNetCoreModule (ANCM) | Prior to 12.1.18346.0 | >=12.1.18346.0 |
This security vulnerability exists when ASP.NET Core 2.1 and 2.2 improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
Package and Binary updates
Package name | Vulnerable versions | Secure versions |
---|---|---|
Microsoft.AspNetCore.WebSockets | 2.2.0 2.1.0, 2.1.1 |
2.2.1 2.1.7 |
Microsoft.AspNetCore.Server.Kestrel.Core | 2.1.0, 2.1.1, 2.1.2, 2.1.3 | 2.1.7 |
System.Net.WebSockets.WebSocketProtocol | 4.5.0, 4.5.1, 4.5.2 | 4.5.3 |
Microsoft.NETCore.App | 2.2.0 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 |
2.2.1 2.1.7 |
Microsoft.AspNetCore.App | 2.2.0 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 |
2.2.1 2.1.7 |
Microsoft.AspNetCore.All | 2.2.0 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 |
2.2.1 2.1.7 |
A security vulnerability exists wherein .NET Core 2.1 improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system
Package and Binary updates
Package name | Vulnerable versions | Secure versions |
---|---|---|
Microsoft.NETCore.App* | 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.1.7 |
* Updated Microsoft.NETCore.App contains System.IO.Compression.ZipFile.dll version 4.3.1, which is not available separately on nuget.org.
Package name | Version ———— | ——————- dotnet-aspnet-codegenerator | 2.1.7 Microsoft.AspNetCore | 2.1.7 Microsoft.AspNetCore.All | 2.1.7 Microsoft.AspNetCore.App | 2.1.7 Microsoft.AspNetCore.Server.IISIntegration | 2.1.7 Microsoft.AspNetCore.Server.Kestrel.Core | 2.1.7 Microsoft.AspNetCore.WebSockets | 2.1.7 Microsoft.NETCore.App | 2.1.7 Microsoft.NETCore.DotNetAppHost | 2.1.7 Microsoft.NETCore.DotNetHost | 2.1.7 Microsoft.NETCore.DotNetHostPolicy | 2.1.7 Microsoft.NETCore.DotNetHostResolver | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.Contracts | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.Core | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.Design | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.EntityFrameworkCore | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.Templating | 2.1.7 Microsoft.VisualStudio.Web.CodeGeneration.Utils | 2.1.7 Microsoft.VisualStudio.Web.CodeGenerators.Mvc | 2.1.7 runtime.linux-arm.Microsoft.NETCore.App | 2.1.7 runtime.linux-arm.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.linux-arm.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.linux-arm.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.linux-arm.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.linux-arm64.Microsoft.NETCore.App | 2.1.7 runtime.linux-arm64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.linux-arm64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.linux-arm64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.linux-arm64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.linux-musl-x64.Microsoft.NETCore.App | 2.1.7 runtime.linux-musl-x64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.linux-musl-x64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.linux-x64.Microsoft.NETCore.App | 2.1.7 runtime.linux-x64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.linux-x64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.linux-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.linux-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.osx-x64.Microsoft.NETCore.App | 2.1.7 runtime.osx-x64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.osx-x64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.osx-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.osx-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.rhel.6-x64.Microsoft.NETCore.App | 2.1.7 runtime.rhel.6-x64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.rhel.6-x64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.win-arm.Microsoft.NETCore.App | 2.1.7 runtime.win-arm.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.win-arm.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.win-arm.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.win-arm.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.win-arm64.Microsoft.NETCore.App | 2.1.7 runtime.win-arm64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.win-arm64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.win-arm64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.win-arm64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.win-x64.Microsoft.NETCore.App | 2.1.7 runtime.win-x64.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.win-x64.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.win-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.7 runtime.win-x86.Microsoft.NETCore.App | 2.1.7 runtime.win-x86.Microsoft.NETCore.DotNetAppHost | 2.1.7 runtime.win-x86.Microsoft.NETCore.DotNetHost | 2.1.7 runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy | 2.1.7 runtime.win-x86.Microsoft.NETCore.DotNetHostResolver | 2.1.7 System.IO.Pipelines | 4.5.3 System.Memory | 4.5.2 System.Net.Http.WinHttpHandler | 4.5.2 System.Net.WebSockets.WebSocketProtocol | 4.5.3 System.Security.Cryptography.Pkcs | 4.5.2 System.Text.Encoding.CodePages | 4.5.1 System.Threading.Tasks.Extensions | 4.5.2