Please leave feedback on the release in the comments below or at dotnet/core #1199.
CVE-2018-0786 – Security Feature Bypass in X509 Certificate Validation
Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.
The security update addresses the vulnerability by ensuring that .NET Core components completely validate certificates.
Microsoft is aware of a Denial of Service vulnerability in all public versions of .NET core due to improper processing of XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET Core application.
The update addresses the vulnerability by correcting how .NET core handles XML document processing.
Getting the Update
The .NET Core January 2018 Update is available from the .NET Core download page.
You can always download the latest version of .NET Core at .NET Downloads.
.NET Docker images have been updated for today’s release. The following repos have been updated.
Note: Look at the “Tags” view in each repository to see the updated Docker image tags.
Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.
Previous .NET Core Updates
The last few .NET Core updates follow: