Software Update: .Net Core 2.2.1 / 2.1.7

Microsoft has released .Net Core versions 2.2.1 and 2.1.7. This is a modular platform for creating web applications and services that run on Linux, macOS, and Windows. Of course it uses .Net and you can compare it to Node.js or Go. The whole is released under a mix of MIT, Apache 2 and CC BY 4.0 licenses. These releases feature the following announcement on the .Net Blog:

.NET Core January 2019 Updates – 2.1.7 and 2.2.1

Today, we are releasing the .NET Core January 2019 Update. These updates contain security and reliability fixes.

• .NET Core 2.1.7 and .NET Core SDK 2.1.503 (Download | Release Notes)
• .NET Core 2.2.1 and .NET Core SDK 2.2.102 (Download | Release Notes)

Security

• CVE-2019-0545: .NET Core Information Disclosure Vulnerability
  The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
• CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability
  This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
• CVE-2019-0564: ASP.NET Core Denial Of Service Vulnerability
  This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
• CVE-2018-8416: .NET Core Tampering Vulnerability
  A security vulnerability exists wherein .NET Core 2.1 improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.

Windows ARM support
This release includes the first availability of .NET Core for Windows Server, version 1809 ARM32. Runtime zips can be found on the downloads page. The SDK zip is expected to be live on the 9th and this note will be updated when that happens.

Getting the Update
The latest .NET Core updates are available on the .NET Core download page. This update is included in the Visual Studio 15.9.5 update, which is also releasing today. See the .NET Core release notes for details on the release including a detailed commit list and affected files.

Docker Images
The .NET Core Docker images have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in “Staying up-to-date with .NET Container Images”.

Azure App Services deployment
Deployment of .NET Core 2.1.7 and 2.2.1 to Azure App Services has started. The West Central US, North Central US and West US 2 regions are live now. Remaining regions will be updated in the next few days.