News

ASP.NET Core, .NET Core, EF Core 1.0.1 Updates

Among the list of bug fixes is one that squashes a potential security issue with ASP.NET Core View Component that can result in an elevation of privilege on systems.

Microsoft this week released updates to ASP.NET Core, .NET Core and Entity Framework Core that consisted mainly of a growing list of fixes. Among the fix rollup is one that plugs up a potential security breakdown within ASP.NET Core. Microsoft details the issue in a TechNet security bulletin that was released at the same time.

According to the bulletin, the issue affects "the public version of ASP.NET Core MVC 1.0.0 whereView Components could receive incorrect information, including details of the current authenticated user." The bulletin goes on to explain that "If a View Component depends on the vulnerable code and makes decisions based on the current user, then the View Component could make incorrect decisions that result in elevation of privilege."

For those affected, it's a matter of updating the ASP.NET Core templates to the most recent version, which can be found in the Tools section of the .NET Framework Downloads page.

Besides the security issue fix, many of the other fixes were customer discoveries, said Jeffrey T. Fritz, a senior program manager with Microsoft's Developer Outreach Group, in a blog. "Most of the bugs we are addressing were identified by customers and don't have easy workarounds." He said that developers using any of the ASP.NET Core 1.0.0 version of the packages listed here are advised to update to the 1.0.1 versions as soon as possible:

  • Microsoft.EntityFrameworkCore
  • Microsoft.AspNetCore.Server.Kestrel
  • Microsoft.AspNetCore.Mvc
  • Microsoft.AspNetCore.Antiforgery
  • Microsoft.AspNetCore.Routing

Fritz notes that the last two packages are referenced by the third package, Microsoft.AspNetCore.Mvc. "If you are not directly referencing them in your project, you do not need to do any extra work to update them," he explained. "The package manager will automatically include the updated versions when it updates the MVC package." He added that any references in the project.json file also needed to be updated with the newer version numbers.

Highlighted among the issues in .NET Core 1.0.0 that were fixed:

  • Segfaults on Linux 4.6
  • Access violation on Windows
  • F# template has been updated for .NET Core 1.0
  • Update ASP.NET Core templates to reference ASP.NET Core 1.0.1
  • Update ASP.NET Core templates to correctly publish CSHTML files

These are easily fixed by updating to .NET Core 1.0.1, available for download here.

About the Author

Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.

comments powered by Disqus

Featured

  • What's New in Visual Studio 2019 v16.5 Preview 2

    The second preview of Visual Studio 2019 v16.5 has arrived with improvements across the flagship IDE, including the core experience and different development areas such as C++, Python, web, mobile and so on.

  • C# Shows Strong in Tech Skills Reports

    Microsoft's C# programming language continues to show strong in tech industry skills reports, with the most recent examples coming from a skills testing company and a training company.

  • Color Shards

    Sharing Data and Splitting Components in Blazor

    ASP.NET Core Version 3.1 has at least two major changes that you'll want to take advantage of. Well, Peter thinks you will. Depending on your background, your response to one of them may be a resounding “meh.”

  • Architecture Small Graphic

    Microsoft Ships Preview SDK, Guidance for New Dual-Screen Mobile Era

    Microsoft announced a new SDK and developer guidance for dealing with the new dual-screen mobile era, ushered in by the advent of ultra-portable devices such as the Surface Duo.

  • How to Create a Machine Learning Decision Tree Classifier Using C#

    After earlier explaining how to compute disorder and split data in his exploration of machine learning decision tree classifiers, resident data scientist Dr. James McCaffrey of Microsoft Research now shows how to use the splitting and disorder code to create a working decision tree classifier.

.NET Insight

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.

Upcoming Events