Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Issues addressed by this update are summarized in the [fixes](#notable-fixes-and-commits) section below. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
The .NET Core SDK 2.1.101 includes .NET Core 2.0.6 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 2.1.101, the following command will show that you're running version `2.1.101` of the tools.
`dotnet --version`
Your feedback is important and appreciated. We've created an issue at [dotnet/core #1341](https://github.com/dotnet/core/issues/1341) for your questions and comments.
## Docker Images
The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 2.0.6 images.
## Azure AppServices
Deployment of this update to Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carfully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over a few days.
### Windows Server Hosting bundle (`DotNetCore.2.0.6-WindowsHosting.exe`) does not contain the updated AspNetCore RuntimePackageStore
**Issue** `DotNetCore.2.0.6-WindowsHosting.exe` incorrectly contains the 2.0.5 AspNetCore RuntimePackageStore rather than 2.0.6.
**Resolution:** If you have already installed the broken installer, download and run the [new installer](https://go.microsoft.com/fwlink/?linkid=869674). You can verify the correct version is installed by checking this:
Open the Control Panel and navigate to “Uninstall a program”, or on Windows 10 open Windows settings and navigate to “Apps”.
Find the entry for `Microsoft .NET Core 2.0.6 – Windows Server Hosting`. This entry should show that version `2.0.40314.10011` is installed.
### Using Linux package managers to update `dotnet-host.x86_64` breaks .NET Core
**Issue:** Running the package manager `update` command on Linux systems where .NET Core has been previously installed may offer an update for `dotnet-host.x86_64`. If the update is allowed to proceed, .NET Core could be in a broken state as only the dotnet host is updated.
**Resolution:** To install the update, either the Runtime or SDK must be explicitly installed. e.g. `sudo [apt-get, yum, dnf, zypper] install dotnet-runtime-2.0.6`, if you only need the runtime or `sudo [apt-get, yum, dnf, zypper] dotnet-sdk-2.1.101`, to install both the SDK and Runtime.
We are working to improve our Linux packages to enable correct package manager update behavior. This work is being tracked in the following issues:
Microsoft is aware of a security vulnerability in the public versions of .NET Core where a malicious file or web request could cause a denial of service (DoS) attack. See the following announcement for details.
* [`[7751d09]`](https://github.com/dotnet/corefx/commit/7751d09) Enable ECDH cipher suites as preferred cipher for key agreement.
* [`[804c756]`](https://github.com/dotnet/corefx/commit/804c756) Ensure HttpListener request buffer is aligned as required by the host processor (#25763)
* [`[97ce4b6]`](https://github.com/dotnet/corefx/commit/97ce4b6) Revert "Minor change to avoid an allocation in Uri" (#25643)
* [`[0933a23]`](https://github.com/dotnet/corefx/commit/0933a23) Port 2 fixes for NamedPipeClientStream (#26118)
* [`[e2f8be3]`](https://github.com/dotnet/corefx/commit/e2f8be3) Support Reference Assemblies in SGEN. (#24491)
* [`[0a129de]`](https://github.com/dotnet/corefx/commit/0a129de) Ignore the type if it contains any property that only have private setter. (#24611)
* [`[3e437ec]`](https://github.com/dotnet/corefx/commit/3e437ec) Make the public class be internal in sgen. (#24345)
* [`[cac0f6a]`](https://github.com/dotnet/corefx/commit/cac0f6a) Add more parameters support in SGEN. (#24322)
* [`[8d2753e]`](https://github.com/dotnet/corefx/commit/8d2753e) Remove the line that will copy the generated serializer to the pack. (#24199)
* [`[0e29bf8]`](https://github.com/dotnet/corefx/commit/0e29bf8) Add the target to copy the serializer to publish folder. (#24096)
* [`[e82739f]`](https://github.com/dotnet/corefx/commit/e82739f) Add warning by default in SGEN (#24054)
* [`[31a21dd]`](https://github.com/dotnet/corefx/commit/31a21dd) Add help method for SGEN. (#23966)
* [`[c2704a6]`](https://github.com/dotnet/corefx/commit/c2704a6) Add /casesensitive parameter so the command works on linux when the path contains capital letter (#23947)