Today, we are releasing the January 2018 Security and Quality Rollup.

See .NET Framework 4.7.1 is available on Windows Update, WSUS and MU Catalog! for separately available reliability updates for the .NET Framework 4.7.1.

Security

CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation

Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.

The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.

CVE-2018-0786

CVE-2018-0764 – Denial of Service when parsing XML documents

Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.

The update addresses the vulnerability by correcting how .NET core handles XML document processing.

CVE-2018-0764

Quality and Reliability

This release contains no new quality and reliability improvements.

Getting the Update

The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, Microsoft Update Catalog, and Docker.

Microsoft Update Catalog

You can get the update via the Microsoft Update Catalog. For Windows 10, .NET Framework updates are part of the Windows 10 Monthly Rollup.

Product Version Security and Quality Rollup KB Security Rollup KB
Windows 10 1709 (Fall Creators Update) Catalog
4056892
N/A
.NET Framework 3.5 4056892 N/A
.NET Framework 4.7.1 4056892 N/A
Windows 10 1703 (Creators Update) Catalog
4056891
N/A
.NET Framework 3.5 4056891 N/A
.NET Framework 4.7 4056891 N/A
Windows 10 1607 (Anniversary Update) Catalog
4056890
N/A
.NET Framework 3.5 4056890 N/A
.NET Framework 4.6.2, 4.7 4056890 N/A
Windows 10 1511 Catalog
4056888
N/A
.NET Framework 3.5 4056888 N/A
.NET Framework 4.6.1 4056888 N/A
Windows 10 1507 Catalog
4056893
N/A
.NET Framework 3.5 4056893 N/A
.NET Framework 4.6 4056893 N/A
Windows 8.1
Windows RT 8.1
Windows Server 2012 R2
Catalog
4055266
Catalog
4055271
.NET Framework 3.5 4054999 4054177
.NET Framework 4.5.2 4054993 4054170
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055001 4054182
Windows Server 2012 Catalog
4055265
Catalog
4055270
.NET Framework 3.5 4054997 4054175
.NET Framework 4.5.2 4054994 4054171
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055000 4054181
Windows 7
Windows Server 2008 R2
Catalog
4055532
Catalog
4055269
.NET Framework 3.5.1 4054998 4054176
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1 4055002 4054183
Windows Server 2008 Catalog
4055267
Catalog
4055272
.NET Framework 2.0, 3.0 4054996 4054174
.NET Framework 4.5.2 4054995 4054172
.NET Framework 4.6 4055002 4054183

Docker Images

Docker images have been updated as part of today’s release (actually, a few days ago).


Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: Significant changes have been made with Docker images recently. Please look at .NET Docker Announcements for more information.


Source: .NET Framework January 2018 Security and Quality Rollup | .NET Blog