ASP.NET Core, .NET Core, EF Core 1.0.1 Updates
Among the list of bug fixes is one that squashes a potential security issue with ASP.NET Core View Component that can result in an elevation of privilege on systems.
- By Michael Domingo
Microsoft this week released updates to ASP.NET Core, .NET Core and Entity Framework Core that consisted mainly of a growing list of fixes. Among the fix rollup is one that plugs up a potential security breakdown within ASP.NET Core. Microsoft details the issue in a TechNet security bulletin that was released at the same time.
According to the bulletin, the issue affects "the public version of ASP.NET Core MVC 1.0.0 whereView Components could receive incorrect information, including details of the current authenticated user." The bulletin goes on to explain that "If a View Component depends on the vulnerable code and makes decisions based on the current user, then the View Component could make incorrect decisions that result in elevation of privilege."
For those affected, it's a matter of updating the ASP.NET Core templates to the most recent version, which can be found in the Tools section of the .NET Framework Downloads page.
Besides the security issue fix, many of the other fixes were customer discoveries, said Jeffrey T. Fritz, a senior program manager with Microsoft's Developer Outreach Group, in a blog. "Most of the bugs we are addressing were identified by customers and don't have easy workarounds." He said that developers using any of the ASP.NET Core 1.0.0 version of the packages listed here are advised to update to the 1.0.1 versions as soon as possible:
Fritz notes that the last two packages are referenced by the third package, Microsoft.AspNetCore.Mvc. "If you are not directly referencing them in your project, you do not need to do any extra work to update them," he explained. "The package manager will automatically include the updated versions when it updates the MVC package." He added that any references in the project.json file also needed to be updated with the newer version numbers.
Highlighted among the issues in .NET Core 1.0.0 that were fixed:
- Segfaults on Linux 4.6
- Access violation on Windows
- F# template has been updated for .NET Core 1.0
- Update ASP.NET Core templates to reference ASP.NET Core 1.0.1
- Update ASP.NET Core templates to correctly publish CSHTML files
These are easily fixed by updating to .NET Core 1.0.1, available for download here.
Michael Domingo is a long-time software publishing veteran, having started up and managed several developer publications for the Clipper compiler, Microsoft Access, and Visual Basic. He's also managed IT pubs for 1105 Media, including Microsoft Certified Professional Magazine and Virtualization Review before landing his current gig as Visual Studio Magazine Editor in Chief. Besides his publishing life, he's a professional photographer, whose work can be found by Googling domingophoto.