Patch Tuesday Release - 4B

[mthalman]

Patch Tuesday Release

Tasks

1. • [x] Merge any pending PRs or commits from dev branch:
     • [x] #531
2. • [x] Look up the latest NuGet CLI versions and update the nuget-info.json file with the latest patch of each major/minor version listed in the file.
3. • [x] Wait for latest cumulative updates (LCUs) to be released (typically at 10 AM PST on Patch Tuesday).
4. • [x] Gather list of KB numbers for the .NET Framework updates from the .NET Release team.
5. • [x] Look up the download URL for each of the KB numbers in Microsoft Update Catalog and input them into the lcu-info.json file. If this is the first Patch Tuesday after the release of a new Windows version, you'll need to do the following extra steps for that version:
     • [ ] Add a new entry to the lcu-info.json file to associate a URL for the new Windows version and 3.5 runtime version.
     • [ ] Update the 3.5/runtime Dockerfile for the new Windows version so that the patch is applied (this can be copied from another 3.5/runtime Dockerfile in a section labeled Apply latest patch)
6. • [x] Run the update-dependencies tool to update all the necessary files:
     • [ ] dotnet run --project .\eng\update-dependencies --datestamp-all <YYYYMMDD>
7. • [x] Inspect generated changes for correctness
8. • [x] Commit generated changes
9. • [x] Create PR
10. • [x] Get PR signoff
11. • [x] Merge PR
12. • [x] Wait for changes to be mirrored to internal dotnet-framework-docker repo (internal MSFT link)

13. • [x] Run the Get-BaseImageStatus.ps1 script and wait until the Windows images have been updated as part of the Windows Patch Tuesday release process. This script will display when the dependent Windows images were last updated. Wait until all the images show that they have been recently updated. "Recently updated" amounts to be having been updated within the past week or so; images from a month ago should be considered to be the old version.

      ./eng/common/Get-BaseImageStatus.ps1 -Continuous

14. • [x] Queue build of dotnet-framework-docker pipeline (internal MSFT link)
15. • [x] Confirm images have been ingested by MCR
16. • [x] Confirm READMEs have been updated in Docker Hub for microsoft-dotnet-framework
17. • [x] Confirm build for dotnet-docker-framework-samples (internal MSFT link) was queued. This will be queued automatically by dotnet-docker-tools-check-base-image-updates when it detects that the product images have been updated (detection runs on a schedule). Alternatively, you can manually queue the samples build.
18. • [x] Confirm sample images have been ingested by MCR
19. • [x] Confirm Last Modified field has been updated in Docker Hub for microsoft-dotnet-framework-samples
20. • [x] Reply to .NET Release team with a status update email

[nrodrigues1]

@mthalman

Hello,

I would like to know why "4.8-20200211-windowsservercore-ltsc2016" has not received the KB update while 4.7.2 and down where updated twice since February?

Also, why kb4550929 was updated directly in the dockerfile if "mcr.microsoft.com/windows/servercore:ltsc2016" is version 10.0.14393.3630 and matches https://support.microsoft.com/en-ca/help/4550929/windows-10-update-kb4550929?

Thank you!

[mthalman]

@nrodrigues1 - Which KB are you expecting for 4.8 on 2016? The one that is currently installed, KB4534126, is the latest 4.8 security update for that OS. The other Dockerfiles explicitly install KB4550929 because they're also installing a version of .NET Fx. After installing .NET Fx, it needs to be patched with the latest Windows LCU.

[nrodrigues1]

@mthalman

Thank you for the great answer sir!

[aidanfolkes]

@nrodrigues1 Shouldn't the base images have been updated per the Image Update Policy. I ask because we're having issues after KB4550929 was applied to the host OS (on a test server) and according to Windows container version compatibility:

Windows Server containers currently don't support scenarios where Windows Server 2016-based containers run in a system where the revision numbers of the container host and the container image are different.

[mthalman]

@aidanfolkes - As per the policy, the images do get rebuilt when a new base Server Core image is made available. And as part of that, the latest security KB is applied to the images. What image tag are you using and how does its version compare to your host?

[aidanfolkes]

@mthalman Image tag is 4.8-windowsservercore-ltsc2016 Host version is 10.0.14393.3630 Container version is 10.0.14393.3568 I'm beginning to suspect that we need to add --pull to the docker build command though.

[mthalman]

Host version is 10.0.14393.3630 Container version is 10.0.14393.3568 I'm beginning to suspect that we need to add --pull to the docker build command though.

Yes, using --pull would definitely be recommended to ensure you're using the latest image. The latest version of the image is using version 10.0.14393.3630.

[aidanfolkes]

That appears to be the problem. Thanks.