.NET August 2023 Updates – .NET 7.0.10, .NET 6.0.21

Today, we are releasing the .NET August 2023 Updates. These updates contain security and non-security improvements. Your app may be vulnerable if you have not deployed a recent .NET update.

You can download 7.0.10 and 6.0.21 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.

• Installers and binaries: 7.0.10 | 6.0.21
• Release notes: 7.0.10 | 6.0.21
• Container images
• Linux packages: 7.0.10 | 6.0.21
• Release feedback/issue
• Known issues: 7.0 | 6.0

Windows Package Manager CLI (winget)​

You can now install .NET updates using the Windows Package Manager CLI (winget):

• To install the .NET 7 runtime: winget install dotnet-runtime-7
• To install the .NET 7 SDK: winget install dotnet-sdk-7
• To update an existing installation: winget upgrade

See Install with Windows Package Manager (winget) for more information.

Improvements​

• ASP.NET Core: 7.0.10 | 6.0.21
• Entity Framework Core: 7.0.10 | 6.0.21
• Runtime: 7.0.10 | 6.0.21
• SDK: 7.0.10
• WPF: 7.0.10

Security​

CVE-2023-38178 – .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET Kestrel where a malicious client can bypass QUIC stream limit in HTTP/3 in both ASP.NET and .NET runtimes resulting in denial of service.

CVE-2023-35390 – .NET Remote Code Execution Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists when some dotnet commands are used in directories with weaker permissions which can result in remote code execution.

CVE-2023-38180 – .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1, .NET 6.0, and .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in denial of service.

CVE-2023-35391 – .NET Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET core 2.1, .NET 6.0 and, .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in ASP.NET Core 2.1, .NET 6.0 and, .NET 7.0 applications using SignalR when redis backplane use might result in information disclosure.

Visual Studio​

See release notes for Visual Studio compatibility for .NET 7.0 and .NET 6.0.

Click to expand...

.NET August 2023 Updates – .NET 7.0.10, .NET 6.0.21 - .NET Blog

Check out latest August 2023 updates for .NET 7.0 and .NET 6.0

devblogs.microsoft.com