[cm2187]

And now that everything is a package, it won’t get fixed with windows update. Which means that if the website isn’t actively developed and regularly deployed, it will remain vulnerable

[voxic11]

Actually this bug is in Microsoft.AspNetCore.App.Runtime which is an implict package that comes from the runtime. So simply updating your version of the dotnet should fix any vulnerable applications.

[lsbehe]

M$ offers system wide installations. Those don't seem to be updated automatically either but at least I don't have to deploy 6 servers now.

[Uvix]

On Linux, system-wide installations are handled through the system's package manager.

On Windows, if you have the "Install updates for other Microsoft products" option enabled, .NET [Core] runtimes will be updated through Windows Update.

If the domain's group policy won't let you turn it on from the UI (or if you want to turn it on programmatically for other reasons), the PowerShell 7 installer has a PowerShell script that can be adapted to do the trick: https://github.com/PowerShell/PowerShell/blob/ba02868d0fa1d7...

[lsbehe]

archlinux doesn't offer the new version yet. https://archlinux.org/packages/extra/x86_64/aspnet-runtime/ Only exposing stuff behind caddy so it doesn't seem to be an issue.