.NET
Endless Lifecycle Support (ELS) for .NET from TuxCare delivers security fixes for .NET library, framework, and tool packages, distributed through NuGet packages. This allows you to continue running your .NET applications without vulnerability concerns, even after official support has ended.
NuGet is the standard package manager for .NET, used to deliver the reusable components that applications depend on. ELS applies fixes at the package level, so your applications receive security updates without requiring changes to your own code.
Supported NuGet packages
- .NET 6, 8, 10
- Microsoft.Owin 3.1.0
- Microsoft.Owin.Security.Cookies 3.1.0
- Newtonsoft.Json 4.5.11, 4.5.12, 6.0.8, 6.0.9, 8.0.3, 8.0.4, 9.0.1, 9.0.2, 10.0.3, 10.0.4, 11.0.2, 11.0.3, 12.0.3, 12.0.4
- SharpZipLib 0.86.0, 0.86.1
Other versions upon request.
Prerequisites
- .NET SDK installed. A TuxCare-supported .NET SDK build is also available.
- Access to the TuxCare .NET NuGet repository (credentials required). To receive the credentials - a username and password - please contact sales@tuxcare.com. Anonymous access is disabled.
Adding the Repository
This section describes how to add the TuxCare ELS for .NET repository as a package source.
Adding the NuGet Source via CLI
Add the TuxCare NuGet repository as a package source using the dotnet CLI:
dotnet nuget add source "https://nexus.repo.tuxcare.com/repository/<els_dotnet_customerN>/index.json" `
--name TuxCare `
--username <USERNAME> `
--password <PASSWORD>
Replace <els_dotnet_customerN> with your customer repository name, and <USERNAME> and <PASSWORD> with the credentials provided by sales.
Adding the NuGet Source via nuget.config
As an alternative to the CLI, you can configure NuGet package sources using a nuget.config file. This approach is useful for sharing configuration across a team or for version-controlled source settings.
Before creating or editing a nuget.config file, navigate to your project directory (containing a .csproj file). If you don't have a project yet, create one first.
Understanding NuGet Configuration Hierarchy
NuGet configuration follows a hierarchy (from highest to lowest priority):
- Project-level:
nuget.configin your project folder - Solution-level:
nuget.configin the solution folder (parent directory) - User-level:
~/.nuget/NuGet/NuGet.Config - Machine-level:
/etc/nuget/NuGet/NuGet.Config
Settings in higher-priority files override those in lower-priority files.
Creating a nuget.config File
Create a nuget.config file in your project or solution directory:
<?xml version="1.0" encoding="utf-8"?>
<configuration>
<packageSources>
<!-- To inherit the global NuGet package sources remove the <clear/> line below -->
<clear />
<add key="TuxCare" value="https://nexus.repo.tuxcare.com/repository/<els_dotnet_customerN>/index.json" />
<add key="nuget" value="https://api.nuget.org/v3/index.json" />
</packageSources>
</configuration>
In this configuration:
- The
<clear />element removes inherited package sources, giving you full control. - The
nugetsource points to the official NuGet.org repository. - The
TuxCaresource points to the TuxCare ELS repository.
Adding Credentials for nuget.config
If your nuget.config requires authentication, you can add credentials using the CLI or by adding a <packageSourceCredentials> section inside <configuration> in your nuget.config:
dotnet nuget update source TuxCare --username <USERNAME> --password <PASSWORD>Avoid committing credentials to version control. Consider using environment variables or a separate local configuration file for sensitive information.
When using the CLI (dotnet nuget add source or dotnet nuget update source), the password is stored as a hash. When manually editing nuget.config, the password is stored in plain text.
Verifying the Source
To verify that the source was added successfully, list all configured NuGet sources:
dotnet nuget list source
Example output:
Registered Sources:
1. TuxCare [Enabled]
https://nexus.repo.tuxcare.com/repository/<els_dotnet_customerN>/index.json
2. nuget [Enabled]
https://api.nuget.org/v3/index.json
Working with Packages
This section explains how to install and use packages from the TuxCare repository.
Navigating to Your Project
Ensure you are in a directory containing a valid .NET project. The folder must contain a .csproj file.
dir *.csproj
If a .csproj file is found, you can proceed with package installation. If not, create a new project:
dotnet new console -o MyProject
cd MyProject
Installing Packages
Install a package from the TuxCare repository using the dotnet add package command:
dotnet add package <PACKAGE_NAME>
To install a specific version:
dotnet add package <PACKAGE_NAME> --version <VERSION>
For example:
dotnet add package Newtonsoft.Json --version 12.0.4-tuxcare-els
You can find available package versions in your TuxCare account on Nexus (anonymous access is restricted).
Using Package Source Mapping
If you use a nuget.config file, you can add package source mapping to route specific packages to the TuxCare feed. This ensures certain packages are always fetched from TuxCare while others come from NuGet.org.
Add a <packageSourceMapping> section inside <configuration> in your nuget.config. For example, to route Newtonsoft.Json to TuxCare:
<packageSourceMapping>
<!-- Allow nuget.org to serve any package -->
<packageSource key="nuget">
<package pattern="*" />
</packageSource>
<!-- Route specific packages to TuxCare feed -->
<packageSource key="TuxCare">
<package pattern="Newtonsoft.*" />
</packageSource>
</packageSourceMapping>You can find available package versions in your TuxCare account on Nexus (anonymous access is restricted).
Building the Project
After installing packages, verify that everything works correctly by building the project:
dotnet build
If the build completes successfully, the TuxCare package is successfully integrated into your project. Check the output folder to confirm that the package DLL (e.g., Newtonsoft.Json.dll) was downloaded from the TuxCare repository.
Upgrading Packages
To upgrade to a newer TuxCare release, update the package in your project:
dotnet add package <PACKAGE_NAME> --version <NEW_VERSION>
Then rebuild the project to verify the upgrade:
dotnet build
Managing NuGet Sources
This section covers common tasks for managing the TuxCare NuGet source.
Removing a Source
If you need to remove the TuxCare source:
dotnet nuget remove source TuxCare
Updating Source Credentials
To update the credentials for an existing source, remove and re-add the source:
dotnet nuget remove source TuxCare
dotnet nuget add source "https://nexus.repo.tuxcare.com/repository/<els_dotnet_customerN>/index.json" `
--name TuxCare `
--username <NEW_USERNAME> `
--password <NEW_PASSWORD>
Resolved CVEs
| CVE ID | Severity | Affected Package | Affected Versions | Safe Versions |
|---|---|---|---|---|
| CVE-2024-21907 | High | Newtonsoft.Json | < 13.0.1 | See Nexus |
| GHSA-5crp-9r3c-p9vr | High | Newtonsoft.Json | < 13.0.1 | See Nexus |
| CVE-2021-32840 | Critical | SharpZipLib | < 1.3.3 | See Nexus |
| CVE-2021-32841 | Medium | SharpZipLib | >= 1.3.0, < 1.3.3 | See Nexus |
| CVE-2021-32842 | Medium | SharpZipLib | >= 1.0.0, < 1.3.3 | See Nexus |
