Last Week in .NET

Microsoft fixes 87 security bugs, countless CVEs, and reminds us they have money to spend, just not on non-Microsoft Open Source Projects.

Show Notes

This is Last Week in .NET for the week that ended 17 October 2020. Lots of releases and CVE fixes last week, so let's get to it.

📢 .NET 5 RC2 has been released. I mentioned last week that RC 1 was probably the last RC until GA, and I was wrong. I won't pundit on that any more, I have, in fact, learned my lesson. ClickOnce makes an appearance, and there are several smaller updates in this release.

📢 .NET Core 3.1.9 has been released. This release includes bugfixes across the runtime, framework, and ASP.NET Core as well as support for Fedora 33 and Ubuntu 20.10

📢 .NET Core 2.1.23 has been released Much like its hotter younger brother 3.1.9, 2.1.23 has bugfixes and updates for the runtime as well as the same aforementioned support for new releases of Fedora and Ubuntu.

📢 WinRT 0.8 has been released This has to do with using C# with WinRT, and at this point with the number of fluctuations to the Windows UI story, I'm not sure what the hell this does or who's it for.

🚨 https://www.bleepingcomputer.com/news/security/microsoft-october-2020-patch-tuesday-fixes-87-security-bugs/ That's a lot. So much so that the list of CVEs in this Patch Tuesday is itself too long to talk about.

The patches and CVE fixes cover the following software:

  • Microsoft Windows
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft JET Database Engine
  • Azure Functions
  • Open Source Software (yes, they actually wrote "Open Source Software")
  • Microsoft Exchange Server
  • Visual Studio
  • PowerShellGet
  • Microsoft .NET Framework (There we are!)
  • Microsoft Dynamics
  • Adobe Flash Player
  • Microsoft Windows Codecs Library
🚨 Microsoft also patched CVE-2020-16898, which allowed someone to use a malformed IPV6 ICMP Packet to... take over a system?!?!?!

✉️ .NET Foundation September/October 2020 update [https://dotnetfoundation.org/blog/2020/10/14/blog/posts/net-foundation-september-october-2020-update](.NET Foundation join's OSI's affiliate initiative; new .NET projects are showcased)
🎥 Microsoft releases .NET Live TV! (Not to be confused with Microsoft's "Live" product). The goal is to have "Netflix for .NET" There's a lot of production to put into a 'live' TV channel, and if anyone can do it, Microsoft can. I just wish they'd use that money to pay the OSS maintainers whose projects they copy.
🎥 Speaking of Microsoft Live TV. Channel 9 released another video in a series of Progressive Web Applications with Blazor 🐦 Part of the release for .NET 5 RC2 is the ability to use ClickOnce deployment with .NET 5. As the tweet says, "This is huge" and I'm only hoping it works out better this time. In the teams I've been a part of, there was always a reason why ClickOnce wouldn't work; but maybe that's all been fixed? 🎥 How does .NET 5 change my development? Immo Landwerth of the .NET team takes the time to answer that question in a whole minute and 25 seconds. Just a little more shaving and you can get it into a TikTok. Brb, starting a tiktok for .NET.
🎥 Immo Landwerth takes you through how .NET 5's compatibility analyzer works when trying to work with cross platform code. If you get "PlatformNotSupported" Exceptions, this video is for you.

🚨: Microsoft republished a fix for CVE-2020-1147 because it was breaking SQL CLR objects. They didn't find it sooner because there are about five people in the known universe that use SQL CLR Objects. Thoughts and Prayers.

💰: Octopus Deploy is now a corporate sponsor for the .NET Foundation. This is a big change from 8 months ago when Octopus Deploy cut ties with Microsoft, and both blog posts are by the same person, Paul Stovall, Founder of Octopus Deploy.

In the post, Paul details that they want to help change the trajectory of .NET Open Source by funding it, and for that I commend them. It seems like they want to try to 'change things from the inside', and maybe they'll be able to. Regardless, thank you, Paul, and thank you Octopus Deploy.

🐦 Kevin Jones (aka @vcsjones on Twitter) showed an open issue in .NET where misusing stackalloc for a dynamically bounded array could cause a Stack Overflow in .NET. This is fixed in the "master" branch for the .NET Repo (can we get a branch name change, Microsoft), and maybe we'll see a .NET 5 RC3 or maybe this will just be in the GA version.

📝 Karen Payne released a blog post on how to work with Delegates and Events in VB.NET. It's wonderful to see people blog about VB.NET, and we need more of that. It's a wonderful language in its own right. Thanks, Karen.

📅 .NET Conf (yes, the correctly spelled one) is November 10th-12th) Are you 'going'? If not, I'll be livetweeting it @gortok on twitter. You know where the mute button is.

It was a pretty busy week for the world of .NET. I'm George Stocker, and I help teams write .NET systems that are easy to maintain and improve. If you're interested in learning more, check out www.doubleyourproductivity.io.

What is Last Week in .NET?

A podcast that details the happenings around the .NET ecosystem, generally a week at a time. I can neither confirm nor deny that there will be attempts at humor involved.

For any confusion caused to fishermen thinking they've gotten a new podcast devoted to the tools of fishing, I am sorry. This is about the technology stack. Naming is hard.