.NET 6.0.5 Patch - SDK Update necessary?

[DanielOstovary]

Regarding the .NET 6.0.5 patch: For non-self-contained apps, is it important to update the SDK to mitigate the vulnerabilities CVE-2022-29117, CVE-2022-29145, and CVE-2022-2326? If so, why?

Best regards,
Daniel

[marcpopMSFT]

@rbhanda can comment on the specific changes. In general, we recommend updating the SDK as it includes the runtime so if you're running and testing your applications locally as framework-dependent, you'll have the latest set of security fixes. You're correct that it's critical for self-contained as if you don't update the SDK, the older SDK will include the older runtime packs in your application.

[attritionorg]

I assume you meant 2022-23267 instead of 2022-2326?