.NET Core 2.1.9 is available for download and usage in your environment. This release includes .NET Core 2.1.9, ASP.NET Core 2.1.9 and .NET Core SDK 2.1.505.
We’ve created an issue at dotnet/core #2432 for your questions and comments.
SDK Installer1 | SDK Binaries1 | Runtime Installer | Runtime Binaries | ASP.NET Core Runtime | |
---|---|---|---|---|---|
Windows | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 | x86 | x64 Hosting Bundle2 |
macOS | x64 | x64 | x64 | x64 | x641 |
Linux | See installations steps below | x64 | ARM | ARM64 | x64 Alpine | - | x64 | ARM | ARM64 | x64 Alpine] | x641 | ARM321 | x64 Alpine1 |
RHEL6 | - | x64 | - | x64 | - |
Checksums | SDK | - | Runtime | - | - |
Symbols | CLI | SDK | - | Runtime | Shared Framework | Setup | - | ASP.NET Core |
The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.
The following repos have been updated
There are no changes this month in OS version support status.
.NET Core 1.0 and 1.1, which entered “Maintenance” support status when 2.1 was declared LTS, will be end-of-life June 27, 2019. Updates for the 1.0 and 1.1 channels will no longer be offered after that date. See .NET Core Support Policy to learn more about the .NET Core support lifecycle.
See .NET Core Supported OS Lifecycle Policy to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.
.NET Core 2.1.9 release carries both security and non-security fixes.
CVE-2019-0757: .NET Core NuGet Tampering Vulnerability
A tampering vulnerability exists in NuGet software when executed in a Linux or Mac environment. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Exploitation of the vulnerability requires that an attacker can login as any other user on that machine. At that point, the attacker will be able to replace or add to files that were created by a NuGet restore operation in the current users account.
The security update addresses the vulnerability by correcting how NuGet restore creates file permissions for all files extracted to the client machine.
Affected Package and Binary updates
Package name | Vulnerable versions | Secure versions |
---|---|---|
Nuget.Packaging | 4.9.0 – 4.9.3 | 4.9.4 |
Package name | Version |
---|---|
Microsoft.AspNetCore.All | 2.1.9 |
Microsoft.AspNetCore.App | 2.1.9 |
Microsoft.NETCore.App | 2.1.9 |
Microsoft.NETCore.DotNetAppHost | 2.1.9 |
Microsoft.NETCore.DotNetHost | 2.1.9 |
Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
Microsoft.NETCore.Platforms | 2.1.3 |
runtime.linux-arm.Microsoft.NETCore.App | 2.1.9 |
runtime.linux-arm.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.linux-arm.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.linux-arm.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.linux-arm.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.linux-arm64.Microsoft.NETCore.App | 2.1.9 |
runtime.linux-arm64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.linux-arm64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.linux-arm64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.linux-arm64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.linux-musl-x64.Microsoft.NETCore.App | 2.1.9 |
runtime.linux-musl-x64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.linux-musl-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.linux-x64.Microsoft.NETCore.App | 2.1.9 |
runtime.linux-x64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.linux-x64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.linux-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.linux-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.osx-x64.Microsoft.NETCore.App | 2.1.9 |
runtime.osx-x64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.osx-x64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.osx-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.osx-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.rhel.6-x64.Microsoft.NETCore.App | 2.1.9 |
runtime.rhel.6-x64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.rhel.6-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.win-arm.Microsoft.NETCore.App | 2.1.9 |
runtime.win-arm.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.win-arm.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.win-arm.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.win-arm.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.win-arm64.Microsoft.NETCore.App | 2.1.9 |
runtime.win-arm64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.win-arm64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.win-arm64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.win-arm64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.win-x64.Microsoft.NETCore.App | 2.1.9 |
runtime.win-x64.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.win-x64.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.win-x64.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.win-x64.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
runtime.win-x86.Microsoft.NETCore.App | 2.1.9 |
runtime.win-x86.Microsoft.NETCore.DotNetAppHost | 2.1.9 |
runtime.win-x86.Microsoft.NETCore.DotNetHost | 2.1.9 |
runtime.win-x86.Microsoft.NETCore.DotNetHostPolicy | 2.1.9 |
runtime.win-x86.Microsoft.NETCore.DotNetHostResolver | 2.1.9 |
System.Security.Cryptography.OpenSsl | 4.5.1 |