January update docs

microsoft-support.md

@@ -45,9 +45,9 @@ This table tracks release dates and end of support dates for .NET Core versions.
 
 |  Version  |  Release Date  | Latest Patch Version | Support Level | End of Support |
 | -- | -- | -- | -- | -- |
-| .NET Core 2.0 | August 14, 2017 | 2.0.0 | Current | August 14, 2020 or 3 months after next Current release or 12 months after next LTS release, whichever is shorter. |
-| .NET Core 1.1 | November 16, 2016 | 1.1.4 | LTS\* | June 27 2019 or 12 months after next LTS release, whichever is shorter. |
-| .NET Core 1.0 | June 27, 2016 | 1.0.7 | LTS | June 27 2019 or 12 months after next LTS release, whichever is shorter. |
+| .NET Core 2.0 | August 14, 2017 | 2.0.5 | Current | August 14, 2020 or 3 months after next Current release or 12 months after next LTS release, whichever is shorter. |
+| .NET Core 1.1 | November 16, 2016 | 1.1.6 | LTS\* | June 27 2019 or 12 months after next LTS release, whichever is shorter. |
+| .NET Core 1.0 | June 27, 2016 | 1.0.9 | LTS | June 27 2019 or 12 months after next LTS release, whichever is shorter. |
 | .NET Core 1.0.0 RC2 | May 16, 2016 | n/a | n/a | September 27, 2016 |
 | .NET Core 1.0.0 RC1 | February 15, 2016 | n/a | n/a | July 16, 2016 |
 

release-notes/1.0/1.0.9.md

@@ -0,0 +1,61 @@
+# .NET Core January 2018 Update - January 9, 2018
+
+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Issues addressed by this update are summarized in the [fixes](#fixes) section below. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
+
+.NET Core 1.0.9 and SDK 1.1.7 are available for download and usage in your environment.
+
+* [Announcement](https://blogs.msdn.microsoft.com/)
+* [Getting Started](https://www.microsoft.com/net/core/)
+* [Downloads](https://github.com/dotnet/core/blob/master/release-notes/download-archives/2.0.5-download.md)
+
+The .NET Core SDK 1.1.7 includes .NET Core 1.0.9 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 1.1.7, the following command will show that you're running version `1.1.7` of the tools.
+
+`dotnet --version`
+
+Your feedback is important and appreciated. We've created an issue at [dotnet/core](https://github.com/dotnet/core/issues/) for your questions and comments.
+
+## Docker Images
+
+The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 1.0.9 images.
+
+## Azure AppServices
+
+Deployment of this update to Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carfully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over a few days.
+
+## Package and Binary updates
+
+The following packages and binaries are updated by the January 2018 update:
+
+### System.Private.Corelib.dll
+
+Microsoft.NETCore.App
+
+### System.Private.ServiceModel
+
+* System.ServiceModel.Primitives
+* System.ServiceModel.Http
+* System.ServiceModel.NetTcp
+* System.ServiceModel.Security
+* System.ServiceModel.Duplex
+
+### System.Private.Xml.dll
+
+* System.Xml.ReaderWriter
+* System.Xml.XmlDocument
+* System.Xml.XmlSerializer
+* System.Xml.XPath
+* System.Xml.XPath.XDocument
+
+## Fixes
+
+### CVE-2018-0786 - Security Feature Bypass in X509 Certificate Validation
+
+Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.
+
+The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.
+
+### CVE-2018-0764 - Denial of Service when parsing XML documents
+
+Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
+
+The update addresses the vulnerability by correcting how .NET core handles XML document processing.

release-notes/1.1/1.1.6.md

@@ -0,0 +1,61 @@
+# .NET Core January 2018 Update - January 9, 2018
+
+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Issues addressed by this update are summarized in the [fixes](#fixes) section below. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
+
+.NET Core 1.1.6 and SDK 1.1.7 are available for download and usage in your environment.
+
+* [Announcement](https://blogs.msdn.microsoft.com/)
+* [Getting Started](https://www.microsoft.com/net/core/)
+* [Downloads](https://github.com/dotnet/core/blob/master/release-notes/download-archives/2.0.5-download.md)
+
+The .NET Core SDK 1.1.7 includes .NET Core 1.1.6 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 1.1.7, the following command will show that you're running version `1.1.7` of the tools.
+
+`dotnet --version`
+
+Your feedback is important and appreciated. We've created an issue at [dotnet/core](https://github.com/dotnet/core/issues/) for your questions and comments.
+
+## Docker Images
+
+The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 1.1.6 images.
+
+## Azure AppServices
+
+Deployment of this update to Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carfully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over a few days.
+
+## Package and Binary updates
+
+The following packages and binaries are updated by the January 2018 update:
+
+### System.Private.Corelib.dll
+
+Microsoft.NETCore.App
+
+### System.Private.ServiceModel
+
+* System.ServiceModel.Primitives
+* System.ServiceModel.Http
+* System.ServiceModel.NetTcp
+* System.ServiceModel.Security
+* System.ServiceModel.Duplex
+
+### System.Private.Xml.dll
+
+* System.Xml.ReaderWriter
+* System.Xml.XmlDocument
+* System.Xml.XmlSerializer
+* System.Xml.XPath
+* System.Xml.XPath.XDocument
+
+## Fixes
+
+### CVE-2018-0786 - Security Feature Bypass in X509 Certificate Validation
+
+Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.
+
+The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.
+
+### CVE-2018-0764 - Denial of Service when parsing XML documents
+
+Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
+
+The update addresses the vulnerability by correcting how .NET core handles XML document processing.

release-notes/2.0/2.0.5.md

@@ -0,0 +1,74 @@
+# .NET Core January 2018 Update - January 9, 2018
+
+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Issues addressed by this update are summarized in the [fixes](#fixes) section below. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
+
+.NET Core 2.0.5 and SDK 2.1.4 are available for download and usage in your environment.
+
+* [Announcement](https://blogs.msdn.microsoft.com/)
+* [Getting Started](https://www.microsoft.com/net/core/)
+* [Downloads](https://github.com/dotnet/core/blob/master/release-notes/download-archives/2.0.5-download.md)
+
+The .NET Core SDK 2.1.4 includes .NET Core 2.0.5 Runtime so downloading the runtime packages separately is not needed when installing the SDK. After installing the .NET Core SDK 2.1.4, the following command will show that you're running version `2.1.4` of the tools.
+
+`dotnet --version`
+
+Your feedback is important and appreciated. We've created an issue at [dotnet/core](https://github.com/dotnet/core/issues/) for your questions and comments.
+
+## Docker Images
+
+The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 2.0.5 images.
+
+## Azure AppServices
+
+Deployment of this update to Azure AppServices is in process. Because AppServices is a high availability service, the deployment is carfully staged across regions over a period of time. Deployment will begin in the West US 2 and North Central US regions with remaining regions following over a few days.
+
+## Known Issues
+
+### Using Linux package managers to update `dotnet-host.x86_64` breaks .NET Core
+
+**Issue:** Running the package manager `update` command on Linux systems where .NET Core has been previously installed may offer an update for `dotnet-host.x86_64`. If the update is allowed to proceed, .NET Core could be in a broken state as only the dotnet host is updated.
+
+**Resolution:** To install the update, either the Runtime or SDK must be explicitly installed. e.g. `sudo [apt-get, yum, dnf, zypper] install dotnet-runtime-2.0.5`, if you only need the runtime or `sudo [apt-get, yum, dnf, zypper] dotnet-sdk-2.1.4`, to install both the SDK and Runtime.
+
+We are working to improve our Linux packages to enable correct package manager update behavior. This work is being tracked in the following issues:
+
+* [dotnet/core-setup/issues/3556](https://github.com/dotnet/core-setup/issues/3556)
+* [dotnet/cli/issues/8209](https://github.com/dotnet/cli/issues/8209)
+
+## Package and Binary updates
+
+The following packages and binaries are updated by the January 2018 update:
+
+### System.Private.Corelib.dll
+
+Microsoft.NETCore.App
+
+### System.Private.ServiceModel
+
+* System.ServiceModel.Primitives
+* System.ServiceModel.Http
+* System.ServiceModel.NetTcp
+* System.ServiceModel.Security
+* System.ServiceModel.Duplex
+
+### System.Private.Xml.dll
+
+* System.Xml.ReaderWriter
+* System.Xml.XmlDocument
+* System.Xml.XmlSerializer
+* System.Xml.XPath
+* System.Xml.XPath.XDocument
+
+## Fixes
+
+### CVE-2018-0786 - Security Feature Bypass in X509 Certificate Validation
+
+Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.
+
+The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.
+
+### CVE-2018-0764 - Denial of Service when parsing XML documents
+
+Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
+
+The update addresses the vulnerability by correcting how .NET core handles XML document processing.