From 1da78d557b622446f897b601c58b99610aab7172 Mon Sep 17 00:00:00 2001 From: vivmishra Date: Mon, 7 Jan 2019 10:40:44 -0800 Subject: [PATCH] Updates to rel notes --- release-notes/2.1/2.1.7/2.1.7.md | 6 ++++++ release-notes/2.2/2.2.1/2.2.1.md | 24 +++++++----------------- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/release-notes/2.1/2.1.7/2.1.7.md b/release-notes/2.1/2.1.7/2.1.7.md index 548db603..b6ebcb05 100644 --- a/release-notes/2.1/2.1.7/2.1.7.md +++ b/release-notes/2.1/2.1.7/2.1.7.md @@ -47,6 +47,12 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo * ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX) **Executive summary** + Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. + + Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. + + The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. + * ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX) **Executive summary** diff --git a/release-notes/2.2/2.2.1/2.2.1.md b/release-notes/2.2/2.2.1/2.2.1.md index 41faab8b..d44a2251 100644 --- a/release-notes/2.2/2.2.1/2.2.1.md +++ b/release-notes/2.2/2.2.1/2.2.1.md @@ -46,6 +46,13 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo * ### [CVE-2019-0545: .NET Core Information Disclosure Vulnerability](https://github.com/dotnet/Announcements/issues/XX) **Executive summary** + + Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1 and 2.2. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. + + Microsoft is aware of an information disclosure vulnerability exists in .NET Framework and .NET Core which allows bypassing Cross-origin Resource Sharing (CORS) configurations. An attacker who successfully exploited the vulnerability could retrieve content, that is normally restricted, from a web application. + + The security update addresses the vulnerability by enforcing CORS configuration to prevent its bypass. + * ### [CVE-2019-0548: ASP.NET Core Denial Of Service Vulnerability](https://github.com/dotnet/Announcements/issues/XX) **Executive summary** @@ -75,23 +82,6 @@ See [.NET Core Supported OS Lifecycle Policy](https://github.com/dotnet/core/blo Microsoft.AspNetCore.App | 2.2.0
2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1
2.1.7 Microsoft.AspNetCore.All | 2.2.0
2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6 | 2.2.1
2.1.7 -* ### [CVE-2018-8416: .NET Core Tampering Vulnerability](https://github.com/dotnet/Announcements/issues/XX) - **Executive summary** - - Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. - - Microsoft is aware of a tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. - - To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system - - The update addresses the vulnerability by correcting how .NET Core handles these files. - - **Package and Binary updates** - - Package name | Vulnerable versions | Secure versions - ------------ | ------------------- | ------------------------- - System.IO.Compression.ZipFile | 4.0.0, 4.0.1, 4.3.0 | 4.3.1 - ## Packages updated as part of this release: Package name | Version