.NET Core May 2017 Update

Today, we are releasing the .NET Core May Update. This includes .NET Core 1.0.5, 1.1.2 and .NET Core SDK 1.0.4.

Details regarding the security issues addressed by this release can be seen in the Security Advisory announcement

Security

CVE-2017-0247

An issue exists can where, in the presence of a particular sequence of bytes, web pages attempting to display content containing this sequence of bytes may terminate and not display.

CVE-2017-0248

A security feature bypass vulnerability exists when Microsoft .NET Core (and .NET Framework) components do not completely validate certificates.

An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose. This action disregards the Enhanced Key Usage extensions.

The security update addresses the vulnerability by helping to ensure that .NET Core (and .NET Framework) components completely validate certificates.

Quality and Reliability

See the release notes for a list of all fixes included in this release.

Getting the Update

The .NET Core May 2017 Update is available from the .NET Core download site. CVE-2017-0248 effects a library which is not included in the Core download so developers can will need to update applications depend on System.Text.Encodings.Web by rebuilding with version 4.3.1 or higher.

Docker Images

The following images have been published and/or updated at microsoft/dotnet.

  • 1.0.5-runtime, 1.0-runtime
    • 1.0.5-runtime-jessie
    • 1.0.5-runtime-nanoserver
  • 1.0.5-runtime-deps, 1.0-runtime-deps
    • 1.0.5-runtime-deps-jessie
  • 1.0.5-sdk, 1.0-sdk
    • 1.0.5-sdk-jessie
    • 1.0.5-sdk-nanoserver
  • 1.1.2-runtime, 1.1-runtime, 1-runtime, runtime
    • 1.1.2-runtime-jessie
    • 1.1.2-runtime-nanoserver
  • 1.1.2-runtime-deps, 1.1-runtime-deps, 1-runtime-deps, runtime-deps
    • 1.1.2-runtime-deps-jessie
  • 1.1.2-sdk, 1.1-sdk, sdk, latest
    • 1.1.2-sdk-jessie
    • 1.1.2-sdk-nanoserver

For existing tags, such as runtimesdk or latest, re-pulling the tag will update you local Docker image cache. For example docker pull microsoft/dotnet:latest will pull the updated image for the latest tag.