Merge pull request #1092 from leecow/master

add sec advisory info to relnotes
2017-11-15 13:45:37 -08:00 · 2017-11-15 13:45:37 -08:00 · eecb169f45
parent 71dde7e736 a6283300f1
commit eecb169f45
3 changed files with 57 additions and 1 deletions
--- a/release-notes/1.0/1.0.8.md
+++ b/release-notes/1.0/1.0.8.md
@ -21,6 +21,26 @@ Deployment of the November 2017 Update on Azure AppServices is in process. Becau

 ### Security Advisories

+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements) and [ASP.NET Core](https://github.com/aspnet/announcements) repos.
+
+#### CVE-2017-8585 Malformed Certificate can cause Denial of Service
+
+Microsoft is aware of a security vulnerability in .NET Core 1.0, 1.1 and 2.0 where a malformed certificate or other ASN.1 formatted data could lead to a denial of service via an infinite loop on Linux and macOS.
+
+System administrators are advised to update their .NET Core runtimes to versions 1.0.8, 1.1.5 and 2.0.1. Developers are advised to update their .NET Core SDK to version 2.0.3 or 1.1.5.
+
+#### CVE-2017-8700 CORS bypass can enable Information Disclosure
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 1.0 and 1.1 where Cross-Origin Resource Sharing (CORS) can be bypassed, leading to information disclosure.
+
+#### CVE-2017-11879: Open Redirect can cause Elevation Of Privilege
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 2.0 where an Open Redirect exists, leading to Elevation Of Privilege.
+
+#### CVE-2017-11770: Denial Of Service Vulnerability
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 1.0, 1.1 and 2.0 where the application is hosted through Windows Http.Sys where a malformed request can lead to a Denial Of Service.
+
 ### Docker Images

 The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 1.1.5 images.
--- a/release-notes/1.1/1.1.5.md
+++ b/release-notes/1.1/1.1.5.md
@ -21,6 +21,26 @@ Deployment of the November 2017 Update on Azure AppServices is in process. Becau

 ### Security Advisories

+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements) and [ASP.NET Core](https://github.com/aspnet/announcements) repos.
+
+#### CVE-2017-8585 Malformed Certificate can cause Denial of Service
+
+Microsoft is aware of a security vulnerability in .NET Core 1.0, 1.1 and 2.0 where a malformed certificate or other ASN.1 formatted data could lead to a denial of service via an infinite loop on Linux and macOS.
+
+System administrators are advised to update their .NET Core runtimes to versions 1.0.8, 1.1.5 and 2.0.1. Developers are advised to update their .NET Core SDK to version 2.0.3 or 1.1.5.
+
+#### CVE-2017-8700 CORS bypass can enable Information Disclosure
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 1.0 and 1.1 where Cross-Origin Resource Sharing (CORS) can be bypassed, leading to information disclosure.
+
+#### CVE-2017-11879: Open Redirect can cause Elevation Of Privilege
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 2.0 where an Open Redirect exists, leading to Elevation Of Privilege.
+
+#### CVE-2017-11770: Denial Of Service Vulnerability
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 1.0, 1.1 and 2.0 where the application is hosted through Windows Http.Sys where a malformed request can lead to a Denial Of Service.
+
 ### Docker Images

 The [.NET Core Docker images](https://hub.docker.com/r/microsoft/dotnet/) have been updated for this release. Look for the 1.1.5 images.
--- a/release-notes/2.0/2.0.3.md
+++ b/release-notes/2.0/2.0.3.md
@ -18,7 +18,23 @@ Deployment of .NET Core 2.0 support on Azure AppServices is in process. Because

 ## .NET Core 2.0 Highlights

-### Security
+### Security Advisories
+
+Microsoft is releasing security advisories for .NET Core and ASP.NET Core. Details can be found in corresponding announcements in the [.NET Core](https://github.com/dotnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) and [ASP.NET Core](https://github.com/aspnet/announcements/issues?q=is%3Aopen+is%3Aissue+label%3ASecurity) repos.
+
+#### CVE-2017-8585 Malformed Certificate can cause Denial of Service
+
+Microsoft is aware of a security vulnerability in .NET Core 1.0, 1.1 and 2.0 where a malformed certificate or other ASN.1 formatted data could lead to a denial of service via an infinite loop on Linux and macOS.
+
+System administrators are advised to update their .NET Core runtimes to versions 1.0.8, 1.1.5 and 2.0.1. Developers are advised to update their .NET Core SDK to version 2.0.3 or 1.1.5.
+
+#### CVE-2017-11879: Open Redirect can cause Elevation Of Privilege
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 2.0 where an Open Redirect exists, leading to Elevation Of Privilege.
+
+#### CVE-2017-11770: Denial Of Service Vulnerability
+
+Microsoft is aware of a security vulnerability in ASP.NET Core 1.0, 1.1 and 2.0 where the application is hosted through Windows Http.Sys where a malformed request can lead to a Denial Of Service.

 ### Docker Images