.NET Core 2.1.2 is available for [download] and usage in your environment. This release includes .NET Core 2.1.2, ASP.NET Core 2.1.2 and .NET Core SDK 2.1.302.
Visit the [.NET Core blog][dotnet-blog] to read more about this release. Your feedback is important and appreciated. We've created an issue at [dotnet/core #1765](https://github.com/dotnet/core/issues/1765) for your questions and comments.
The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Details on our Docker versioning and how to work with the images can be seen in ["Staying up-to-date with .NET Container Images"](https://blogs.msdn.microsoft.com/dotnet/2018/06/18/staying-up-to-date-with-net-container-images/).
See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blob/master/os-lifecycle-policy.md) to learn about Windows, macOS and Linux versions that are supported for each .NET Core release.
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a security feature bypass vulnerability that exists when .NET Core does not correctly validate certificates. An attacker who successfully exploited this vulnerability could present an expired certificate when challenged.
The update addresses the vulnerability by correcting how .NET Core applications handle certificate validation.
| Package name | Vulnerable versions | Secure versions |
| :--- | :--- | :--- |
System.Private.ServiceModel | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
System.ServiceModel.Duplex | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
System.ServiceModel.Http | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
System.ServiceModel.NetTcp | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
System.ServiceModel.Primitives | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
System.ServiceModel.Security | 4.0.0, 4.1.0, 4.1.1 <br> 4.3.0, 4.3.1 <br>4.4.0, 4.4.1, 4.4.2 <br> 4.5.0, 4.5.1 | 4.1.2 or later <br> 4.3.2 or later <br> 4.4.3 or later <br> 4.5.2 or later |
### [CVE-2018-8171: ASP.NET Core Security Feature Bypass Vulnerability](https://github.com/aspnet/Announcements/issues/310)
**Executive summary**
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a security feature bypass in ASP.NET Core when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts.
The update addresses the vulnerability by correcting how ASP.NET Core validates the number of incorrect login attempts.
#### Package and Binary updates
| Package name | Vulnerable versions | Secure versions |
### [July 2018: ASP.NET Core Denial Of Service Vulnerability](https://github.com/aspnet/Announcements/issues/311)
**Executive summary**
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.0 and 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability in ASP.NET Core when a malformed request is terminated. An attacker who successfully exploited this vulnerability could cause a denial of service attack.
The update addresses the vulnerability by correcting how ASP.NET Core handles such requests.
#### Package and Binary updates
| Package name | Vulnerable versions | Secure versions |