Today, we are releasing the .NET Core January 2018 Update. This includes .NET Core 1.0.9, 1.1.6 and 2.0.5.

Please leave feedback on the release in the comments below or at dotnet/core #1199.

Security

CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation

Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.

The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.

CVE-2018-0786

CVE-2018-0764 – Denial of Service when parsing XML documents

Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.

The update addresses the vulnerability by correcting how .NET core handles XML document processing.

CVE-2018-0764

Getting the Update

The .NET Core January 2017 Update is available from the .NET Core download page.

You can always download the latest version of .NET Core at .NET Downloads.

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.


Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.


Source: .NET Core January 2018 Update | .NET Blog