The .NET Core SDK 2.0.3 includes .NET Core 2.0.3 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 2.0.3, the following command will show that you're running version `2.0.3` of the tools.
Your feedback is important and appreciated. We've created [dotnet/core #1082](https://github.com/dotnet/core/issues/1082) for your questions and comments.
Deployment of .NET Core 2.0 support on Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carfully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over few days.
Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
#### CVE-2017-8585 Malformed Certificate can cause Denial of Service
Microsoft is aware of a security vulnerability in .NET Core 1.0, 1.1 and 2.0 where a malformed certificate or other ASN.1 formatted data could lead to a denial of service via an infinite loop on Linux and macOS.
System administrators are advised to update their .NET Core runtimes to versions 1.0.8, 1.1.5 and 2.0.1. Developers are advised to update their .NET Core SDK to version 2.0.3 or 1.1.5.
#### CVE-2017-11879: Open Redirect can cause Elevation Of Privilege
Microsoft is aware of a security vulnerability in ASP.NET Core 2.0 where an Open Redirect exists, leading to Elevation Of Privilege.
#### CVE-2017-11770: Denial Of Service Vulnerability
Microsoft is aware of a security vulnerability in ASP.NET Core 1.0, 1.1 and 2.0 where the application is hosted through Windows Http.Sys where a malformed request can lead to a Denial Of Service.
[Runtime tarballs](http://download.microsoft.com/download/5/C/1/5C190037-632B-443D-842D-39085F02E1E8/dotnet-runtime-2.0.3-rhel.6-x64.tar.gz) are now available for use on Red Hat Enterprise Linux 6.
The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 2.0.3 images.
## ASP.NET Core
Please see the [ASP.NET Core release notes](https://github.com/aspnet/Home/releases/tag/2.0.3) and [ASP.NET Core](https://blogs.msdn.microsoft.com/webdev/2017/08/14/announcing-asp-net-core-2-0/) for highlights on work from ASP.NET Core, MVC, Entity Framework Core and others.
## Fixes in the November 2017 Update
## CLI
* [`[8a60d17]`](https://github.com/dotnet/cli/commit/8a60d17) Update F# compiler to match VS
* [`[6ef8af7]`](https://github.com/dotnet/cli/commit/6ef8af7) update fsharp compiler for preview release
* [`[4a2d3fa]`](https://github.com/dotnet/cli/commit/4a2d3fa) Fix up roslyn satellite assembly handling to match new insertion mechanism
* [`[0caee95]`](https://github.com/dotnet/coreclr/commit/0caee95) Don't multiply YieldProcessor count by proc count (#13556)
* [`[0ee7d4a]`](https://github.com/dotnet/coreclr/commit/0ee7d4a) Parameterize RIDs for package restore
* [`[3512bb3]`](https://github.com/dotnet/coreclr/commit/3512bb3) Restore missing native *.ni.pdb file from the Microsoft.NETCore.Runtime.CoreCLR (#12677)
* [`[b6abc16]`](https://github.com/dotnet/coreclr/commit/b6abc16) Fixed issue #13282: dbgshim fails with E_ACCESSDENIED on Windows.
* [`[b2c377b]`](https://github.com/dotnet/coreclr/commit/b2c377b) JIT: Fix value type box optimization
* [`[0803236]`](https://github.com/dotnet/coreclr/commit/0803236) Don't map P-DEP SIMD12 local vars to SIMD16 on x64
* [`[d99bf2d]`](https://github.com/dotnet/coreclr/commit/d99bf2d) Removed the legacy JIT32 assert regarding 4-byte alignment inArenaAllocator::allocateMemory Immediately after this assert we roundUp to an pointer size allocation amount.
* [`[86d8a0c]`](https://github.com/dotnet/coreclr/commit/86d8a0c) Port "git clone" fixes to release 2.0.0 (#13467)
* [`[94d4aa4]`](https://github.com/dotnet/coreclr/commit/94d4aa4) don't use r2r images when the profiler requests that ngen images are disabled (#13349)
* [`[4c1bc91]`](https://github.com/dotnet/coreclr/commit/4c1bc91) Fix non-portable parameters in build-packages.sh script
* [`[3b9ce14]`](https://github.com/dotnet/coreclr/commit/3b9ce14) Add RH6 rid detections to build-packages.sh script
* [`[e7e64c8]`](https://github.com/dotnet/coreclr/commit/e7e64c8) Remove setting of LD_LIBRARY_PATH because we want to set it in docker image
* [`[384f815]`](https://github.com/dotnet/coreclr/commit/384f815) Correct the values of "Rid" and "TestContainerSuffix" of newly added entries.
* [`[c5e25ee]`](https://github.com/dotnet/coreclr/commit/c5e25ee) Add JitMinOpts throughput jobs
* [`[214d82d]`](https://github.com/dotnet/coreclr/commit/214d82d) Support COMPlus_JITMinOpts for crossgen
* [`[860e13d]`](https://github.com/dotnet/coreclr/commit/860e13d) Port of https://github.com/dotnet/coreclr/pull/13034 to release 2.0.0 -- Remove Ubuntu 16.10 as it's EOL (#13041)
* [`[9108063]`](https://github.com/dotnet/corefx/commit/9108063) Fix bug in MS.CSharp handling non-generic classes nested in generic (#22117)
* [`[d76ab29]`](https://github.com/dotnet/corefx/commit/d76ab29) Make 4.4.1 SqlClient harvest the 4.3.1 SqlClient package for its netstandard1.3 bits, since 4.3.0 SqlClient has a connection leak. (#23412)
* [`[725fc01]`](https://github.com/dotnet/corefx/commit/725fc01) Migrate corefx release/2.0.0 branch to git clone from VSO instead of unstable github (#23410)
* [`[8d7ff69]`](https://github.com/dotnet/corefx/commit/8d7ff69) Removed SNIMarsManager, and modified TdsParserStateObjectManaged so that it manages its own SNIMarsConnection if MARS is enabled. This prevents SNIMarsConnections from accumulating forever in a static SNIMarsManager singleton. (#22709) (#23357)
* [`[204cdd7]`](https://github.com/dotnet/corefx/commit/204cdd7) Enable RHEL6 in release/2.0.0 (#23084)