Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to apply security updates to .NET Core projects?

Tags:

asp.net-core

I'm looking at .NET Core more closely and what I don't seem to find any info on is how do you apply security updates?

If I have all my assemblies with the application, detached from Windows Update, in case of security patches to the components, how would I update them?

When you use the framework that comes with the OS, you only update once, but if you have a bunch of sites, I need to update each of them separately? And I assume it would all need to start from my original source, do an update there and then re-deploy everything, because if I just update the deployments via command line, and I don't do the same with my source, I'll re-deploy the insecure bits again.

like image 980
romeozor Avatar asked Mar 22 '17 15:03

romeozor


People also ask

How do I install .NET security updates?

You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog.

How do you update security patches?

Get security updates & Google Play system updatesOpen your device's Settings app. Tap Security. Check for an update: To check if a security update is available, tap Google Security checkup.


1 Answers

You will always have to do this anyways, as system updates would only affect the runtime, not the packages your app references that are from nuget or other sources.

.NET Cores in 2 flavors

1. Portable Applications

Portable applications are like what you are used from .NET Framework. You install the runtime/SDK and your application only references these core set of but doesn't deploys them with your application.

There it's sufficient to update the runtime. Advantages are smaller deployment packages. Disadvantages are that you require to install the correct version of the runtime on the system before deploying.

2. Self-contained Applications

Self-contained application on the other side do not require an installed runtime and will deploy the necessary system libraries with the application.

The advantages here are, that you can deploy applications and run multiple applications side-by-side which use the libraries they were compiled with without side-effects from framework or runtime updates.

Disadvantage is, bigger size and lack of central update mechanism for fixes and security updates.

But in the end, the issues is still same. Neither of the 2 flavors will solve the problem when one of your non-.NET-Framework dependencies will be upgraded or receive security fixes.

So rebuilding/redeploying your application with the updated set of libraries is still required with both flavors and it was required so with the old .NET Framework.

To upgrade older applications or versions you should utilize a source control system. Use tags for milestone/versions, so you can always check out the tag upgrade it's dependencies and commit + deploy it.

Also .NET Core can be utilized with docker, so deployment should be easy when you use some docker orchestration tool like Rancher.

On top of that, specific libraries (like cryptography) aren't shipped via NuGet/.NET Core Runtime, just their wrappers. Cryptography for example has a native dependency on CryptoAPI on Windows and OpenSSH on Linux/MacOS. When a bug gets fixed in OpenSSH this will be covered by the system update mechanism (i.e. apt-get etc.).

like image 177
Tseng Avatar answered Oct 22 '22 00:10

Tseng