Today, we are releasing the .NET Core May Update. This includes .NET Core 1.0.5, 1.1.2 and .NET Core SDK 1.0.4.
Details regarding the security issues addressed by this release can be seen in the Security Advisory announcement
An issue exists can where, in the presence of a particular sequence of bytes, web pages attempting to display content containing this sequence of bytes may terminate and not display.
A security feature bypass vulnerability exists when Microsoft .NET Core (and .NET Framework) components do not completely validate certificates.
An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage extensions.
The security update addresses the vulnerability by helping to ensure that .NET Core (and .NET Framework) components completely validate certificates.
See the release notes for a list of all fixes included in this release.
The .NET Core May 2017 Update is available from the .NET Core download site. CVE-2017-0248 effects a library which is not included in the Core download so developers can will need to update applications depend on System.Text.Encodings.Web by rebuilding with version 4.3.1 or higher.
Updated images are available at microsoft/dotnet. Pulling the latest image will update you local Docker image cache.