Fixes for rel notes
This commit is contained in:
vivmishra
parent
eaa90ba3c3
commit
1381512a5c
|
|
@ -1,4 +1,4 @@
|
|||
# .NET Core 2.1.7 January 2019 Update - January 08, 2019
|
||||
# .NET Core 2.1.7 Update - January 08, 2019
|
||||
|
||||
.NET Core 2.1.7 is available for [download](2.1.7-download.md) and usage in your environment. This release includes .NET Core 2.1.7, ASP.NET Core 2.1.7 and .NET Core SDK 2.1.503.
|
||||
|
||||
|
|
@ -45,35 +45,36 @@ The following OS version has changed support status since our last release:
|
|||
* Fedora 27 reached [end of life](https://fedoramagazine.org/fedora-27-end-of-life/) on November 30, 2018 and is no longer supported by .NET Core.
|
||||
|
||||
## Changes in 2.1.7
|
||||
.NET Core 2.1.7 release carries both security and non-security fixes, covering the listed vulnerabilites (see CVEs below), changes related to the addition of new era to the Japanese calendar and Cryptography related fixes. All fixes of note can be seen in the [2.1.7 commits](2.1.7-commits.md) list.
|
||||
.NET Core 2.1.7 release carries both security and non-security fixes. In addition to the listed vulnerabilities (see CVEs below) support for new Japanese calendar eras has been added and there are some Cryptography fixes.
|
||||
|
||||
All fixes of note can be seen in the [2.1.7 commits](2.1.7-commits.md) list.
|
||||
|
||||
* ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
|
||||
The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
|
||||
|
||||
Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
|
||||
**Affected Package and Binary updates**
|
||||
|
||||
The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass.
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
------------ | ------------------- | -------------------------
|
||||
System.Net.Http | 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4 | 4.3.5
|
||||
|
||||
* ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in public ASP.NET Core 1.0, 1.1 and 2.1. This advisory also provides guidance on what developers can do to update their applications correctly.
|
||||
**Affected Package and Binary updates**
|
||||
|
||||
Microsoft is aware of a security vulnerability in all public versions of ASP.NET Core where, if an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request can cause a Denial of Service.
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
------------ | ------------------- | -------------------------
|
||||
AspNetCoreModule (ANCM) | Prior to 12.1.18346.0 | >=12.1.18346.0
|
||||
|
||||
* ### [CVE-2019-0564: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
|
||||
|
||||
Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
|
||||
|
||||
This security vulnerability exists when ASP.NET Core 2.1 and 2.2 improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
|
||||
|
||||
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
|
||||
|
||||
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
|
||||
|
||||
**Package and Binary updates**
|
||||
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
|
|
@ -86,23 +87,20 @@ The following OS version has changed support status since our last release:
|
|||
Microsoft.AspNetCore.All | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
|
||||
|
||||
* ### [CVE-2018-8416: .NET Core Tampering Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
|
||||
|
||||
Microsoft is aware of a tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
|
||||
A security vulnerability exists wherein .NET Core 2.1 improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
|
||||
|
||||
To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system
|
||||
|
||||
The update addresses the vulnerability by correcting how .NET Core handles these files.
|
||||
|
||||
**Package and Binary updates**
|
||||
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
------------ | ------------------- | -------------------------
|
||||
System.IO.Compression.ZipFile | 4.0.0, 4.0.1, 4.3.0 | 4.3.1
|
||||
Microsoft.NETCore.App* | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
|
||||
|
||||
## Packages updated as part of this release:
|
||||
\* Updated Microsoft.NETCore.App contains System.IO.Compression.ZipFile.dll version 4.3.1, which is not available separately on nuget.org.
|
||||
|
||||
## Packages updated in this release:
|
||||
Package name | Version
|
||||
------------ | -------------------
|
||||
dotnet-aspnet-codegenerator | 2.1.7
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
# .NET Core 2.2.1 January 2019 Update - January 08, 2019
|
||||
# .NET Core 2.2.1 Update - January 08, 2019
|
||||
|
||||
.NET Core 2.2.1 is available for [download](2.2.1-download.md) and usage in your environment. This release includes .NET Core 2.2.1, ASP.NET Core 2.2.1 and .NET Core SDK 2.2.102.
|
||||
|
||||
|
|
@ -46,35 +46,37 @@ The following OS versions have changed support status since our last release:
|
|||
* Fedora 29 was released [October 30, 2018](https://fedoramagazine.org/announcing-fedora-29/) and is supported by NET Core 2.2.
|
||||
|
||||
## Changes in 2.2.1
|
||||
.NET Core 2.2.1 release carries both security and non-security fixes, covering the listed vulnerabilites (see CVEs below), changes related to the addition of new era to the Japanese calendar, support for running in a sandbox on Mac, and several other reliability fixes. All fixes of note can be seen in the [2.2.1 commits](2.2.1-commits.md) list.
|
||||
|
||||
.NET Core 2.2.1 release carries both security and non-security fixes. In addition to the listed vulnerabilites (see CVEs below) support for new Japanese calendar era and running in a sandbox on Mac has been added along with a few other reliability fixes.
|
||||
|
||||
All fixes of note can be seen in the [2.2.1 commits](2.2.1-commits.md) list.
|
||||
|
||||
* ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
|
||||
|
||||
Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
|
||||
The security update addresses the vulnerability by enforcing Cross-origin Resource Sharing (CORS) configuration to prevent its bypass in .NET Core 2.1 and 2.2. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application.
|
||||
|
||||
The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass.
|
||||
**Affected Package and Binary updates**
|
||||
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
------------ | ------------------- | -------------------------
|
||||
System.Net.Http | 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4 | 4.3.5
|
||||
|
||||
* ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
This security vulnerability exists in ASP.NET Core 1.0, 1.1, 2.1 and 2.2. If an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request to cause a Denial of Service.
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in public ASP.NET Core 1.0, 1.1 and 2.1. This advisory also provides guidance on what developers can do to update their applications correctly.
|
||||
**Affected Package and Binary updates**
|
||||
|
||||
Microsoft is aware of a security vulnerability in all public versions of ASP.NET Core where, if an application is hosted on Internet Information Server (IIS) a remote unauthenticated attacker can use a specially crafted request can cause a Denial of Service.
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
------------ | ------------------- | -------------------------
|
||||
AspNetCoreModule (ANCM) | Prior to 12.2.18346.0 | >=12.2.18346.0
|
||||
|
||||
* ### [CVE-2019-0564: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX)
|
||||
**Executive summary**
|
||||
|
||||
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
|
||||
|
||||
Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
|
||||
|
||||
This security vulnerability exists when ASP.NET Core 2.1 and 2.2 improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
|
||||
|
||||
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the .NET Core application.
|
||||
|
||||
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
|
||||
|
||||
**Package and Binary updates**
|
||||
|
||||
Package name | Vulnerable versions | Secure versions
|
||||
|
|
@ -86,7 +88,7 @@ The following OS versions have changed support status since our last release:
|
|||
Microsoft.AspNetCore.App | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
|
||||
Microsoft.AspNetCore.All | 2.2.0<br/>2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1 <br/> 2.1.7
|
||||
|
||||
## Packages updated as part of this release:
|
||||
## Packages updated in this release:
|
||||
|
||||
Package name | Version
|
||||
------------ | -------------------
|
||||
|
|
|
|||
Loading…
Reference in a new issue