Ben Hall

Ben Hall

Iteration over perfection

1 minute read

Automatic updates in Windows for .NET Core and .NET 5

I just made a small update to my .NET version guidance this quarter - that .NET Core and .NET 5 servicing updates can now be installed automatically on Windows, through Microsoft Update.

See the article I wrote in January for more on this.

.NET Core Support Lifecycle Key Dates

The key dates for those staying on the LTS (Long-term Support) releases, to help plan ahead for upgrades:

  • Core 2.1 goes out of support 21 August 2021.
  • Core 3.1 goes out of support 3 December 2022.

.NET 6 is the next LTS that we should be looking to move both Core 2.1 and 3.1 applications on to. It’s planned release is 10 November 2021.

There’s a clear upgrade window for 3.1 to work towards but 2.1 will unfortunately require an intermediate stage.

.NET Framework Support Lifecycle Key Dates

More to consider with this and worth a read of my my .NET version guidance. Some headlines:

  • Versions 4, 4.5 and 4.51 are out of support so check those legacy applications.
  • Support for .NET Framework 4.5.2, 4.6, and 4.6.1 will end on April 26, 2022. This is a departure from the lifecycle due to SHA-1 retirement.

.NET Security Advisory

Hopefully you caught my notice earlier on in March and have already taken appropriate action.

The vulnerability is with a .NET library System.Text.Encodings.Web, which is included out of the box in the runtime for anything based off Microsoft.NETCore.App. The issue is misleading on the face of it as this package is also used in .NET Framework applications directly as a NuGet.

Action: .NET Core / NET 5

It should be adequate to update the runtime on the box and restart the application. (3.1.13 or 2.1.26)

If it’s a self-contained application then it needs to be rebuilt and redeployed from an agent with the updated runtime. Note that if you include the following in AzDo pipeline yaml, it will automatically pull the SDK v3.1.407 in, which includes the fix.

task: UseDotNet@2
        displayName: 'Use .NET Core sdk'
        inputs:
          packageType: sdk
          version: 3.1.x
          installationPath: $(Agent.ToolsDirectory)\\dotnet

If you’ve enabled the new Windows Update feature for .NET Core then just check that happened!

Action: .NET Framework

Update the package to a version that is not vulnerable and redeploy (4.5.1, 4.7.2, 5.0.1).

Tags:

Categories:

Updated:

Comments

You May Also Enjoy

Listen to me on the Day 2 Cloud podcast

less than 1 minute read

I was invited to chat with the Packet Pushers folk on ‘OpenTelemetry – Getting From Visibility To Observability With Ben Hall’. Looks like I pushed a show th...

OpenTelemetry, The Missing Ingredient

9 minute read

At its core, OpenTelemetry (OTel) is a vendor-neutral standard for telemetry. But it also provides a complete end-to-end implementation for generating, emitt...