Yesterday saw the release of the January 2019 update to .NET Core.
These updates contain security and reliability fixes.
.NET Core Information Disclosure Vulnerability – CVE-2019-0545
Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
ASP.NET Core Denial Of Service Vulnerability – CVE-2019-0564, CVE-2019-0548
Microsoft is aware of a security vulnerability in all public versions of ASP.NET Core where, if an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request can cause a Denial of Service.
.NET Core Tampering Vulnerability – CVE-2018-8416
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.
Where to Get the Update
This update is included in the Visual Studio 15.9.5 update, which was also released yesterday. The latest .NET Core updates are available on the .NET Core download page.
Windows ARM support
Included in this update is the first availability of the .NET Core for Windows Server, version 1809 ARM32. The SDK zip is expected to be live today.