Today, we are releasing the .NET February 2022 Updates. These updates contain reliability and security improvements. See the individual release notes for details on updated packages.
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 5.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Denial-of-Service vulnerability exists in .NET 5.0 and .NET 6.0 where Kestrel overpooling of HTTP/2 and HTTP/3 request headers may lead to denial of service.
Customers that have opted to receive .NET Core updates via the Microsoft Update channel will be offered updates to the Hosting Bundle starting with the December 2021 update. Updates for other .NET Core bundles (.NET Core Runtime, ASP.NET Core Runtime, Windows Desktop Runtime, and SDK) have been offered via Microsoft Update to customers that opt in since December 2020. See this blog post for more information.
.NET 5.0 End of life
.NET 5.0 will reach end of life on May 08, 2022, as described in .NET Releases and per .NET Release Policies. After that time, .NET 5.0 patch updates will no longer be provided. We recommend that you move any .NET 5.0 applications and environments to .NET 6.0. It’ll be an easy upgrade in most cases.
The .NET Releases page is the best place to look for release lifecycle information. Knowing key dates helps you make informed decisions about when to upgrade or make other changes to your software and computing environment.