.NET 1.0 SP 3 and .NET 1.1 SP 1 Released


Today we pushed .NET 1.0 SP3 and .NET 1.1 SP1 onto Windows Update as a Critical Update.  You can also download the service packs from the MSDN download center.  Here’s a brief review of what’s new for security in each service pack:

.NET 1.0 SP3 (v1.0.3705.6018) [download | complete changelist]

  • 323683: NTLM authentication is lost on every call
  • 321562: FIX: Role-based authentication fails for users who belong to many groups

and these security related fixes that weren’t from the CLR security team:

  • 324488: Forms authentication and view state fail intermittently under heavy load
  • 327132: FIX: PassportIdentity does not require secure PIN when security-enhanced authentication is requested
  • 327523: Users can open Web pages without the correct NTFS permissions

.NET 1.1 SP1 (v1.1.4322.2032) [download | Windows 2003 download | complete changelist]

  • 836989: FIX: A user receives a “security exception” error message while running user code that is based on the .NET Framework 1.1 in a partial trust environment
  • 828295: FIX: Error Message: Security Exception: PermissionToken Index Does Not Match Index into m_unrestrictedPermSet
  • 839289: FIX: The GC heap becomes corrupted when you use the .NET Framework System.Security.Cryptography.RSACryptoServiceProvider class

 

Comments (23)

  1. Dmitriy Zaslavskiy says:

    Doesn’t XP SP2 includes those?

  2. Shawn says:

    XPSP2 has these as an optional install on the CD, however for people on Win2k, NT4, Win9x, or Win2k3 (or those on XP who haven’t gotten SP2 yet), you can now get them on Windows Update as well.

    -Shawn

  3. graye says:

    I’m getting several reports from folks who can’t install one or both of the framework updates. The symptoms are the same… the install just stops

    Any official word on this?

  4. Shawn says:

    No official word that I know of, but if you’d like to report your problem on the Product Feeback Center (http://lab.msdn.microsoft.com/productFeedback/), someone from the setup team will be able to take a look at it.

    -Shawn

  5. Eugene says:

    Any chance of the runtime redistributable update?

  6. Shawn says:

    Sorry Eugene, at this point you need to download the original DotNetFx.exe, and then also download the patch. I’m not on the redist team, so I cannot say for sure if we intend to distribute a fully patched redist at some point.

    I can recommend submitting this feedback on the Product Feedback Center, and someone closer to the situation will be able to let you know what the plans in that area are. (http://lab.msdn.microsoft.com/productfeedback/)

    -Shawn

  7. Nave says:

    It seems that there is problem when trying to deserialize a strcut which is stored in an assembly which has a strong name while using remoteing.

    The problem only happens in framework 1.0 with SP3.

    classes in the same assembly are being remoted successfully, the struct doesn’t.

    It didn’t happen when SP2 was installed.

    Any chance there has been some security changes on that issue?

  8. Shawn says:

    Hi Nave,

    There’s no security change that I know of there, however that doesn’t mean that there wasn’t one that was made by the serialization guys. You might want to check the full changelist (linked to above) to see if something looks like it might have caused it. If you feel this is a bug, you might also want to use the Product Feedback Center (http://lab.msdn.microsoft.com/productfeedback/) to file a bug report.

    -Shawn

  9. robert smith says:

    Why isn’t the 1.1 SP1 (ok and the 1.0 sp3) considered a critical update on Windows Update? The new v5 Windows Update is confusing many of my users because they seem to fear the Custom Install as being "over their heads"

    If the SPs include security fixes/updates then don’t they qualify for being included in the "Critical Updates" section and thus always shown in the Exrpess option?

    I think it would go a lot farther as a trusted platform among non-geeks if Windows Update implied that it was a needed part of the OS for all users, and that updates to the framework were Obviously important.

    I’ve read a number of news posts in non-dev (regular folks) groups that tell people that they "don’t need the .Net updates if they don’t have any .Net programs" … followed by users asking how they would know if they had any … followed by instructions to check the registry or look for the framework folder in thier Windows directory. And, as I watch users, they just give up and ignore it.

  10. Joe says:

    Whne installing the 1.1 SP1 update, some users are getting an exception error:

    "SL436D.tmp – Common Language Runtime Debuggin Sevices

    Application has generated an exception that could not be handled"

    any ideas?

  11. xgman says:

    This happened to me on 1.0 SP3. Why do I need .net 1.0 sp3 if I have .net 1.1 installed. Do we need bot 1.0 and 1.1 together? After a sucessfull 1.1 install, Windows Update still shows .net 1.0 sp3 as needed. why?

  12. Perry Lund says:

    I recently responded to client how had exception errors installing under Windows 2000. I have three identical Micron PCs running Windows 2000 and I can not get them to update to .NET Framework 1.0 Service Pack 3.

    I get a message that Application has gernerated an exception. I have downloaded the update to desktop and tried installing the update directly. The same exception message occurs.

    The basic error message says – "SL3.tmp – application has generated an exception.

  13. xgman says:

    Someone must have a clue about this a MS. ??

  14. xgman says:

    are all the computers having problems with SP3 Athlon 64’s by chance?

  15. Shawn says:

    Lots of comments over the weekend 🙂 OK, one at a time:

    1. The reason you need 1.0 SP3 as well as 1.1 SP1 is that .NET 1.0 installs side-by-side with .NET 1.1 (ie, they’re both on your computer at the same time). 1.1 SP 1 does not include the 1.0 SP 3 bits, since having v1.1 does not guarantee that v1.0 is installed on your machine. If you’d like to see that you have both versions, check out %WINDIR%Microsoft.NETFramework …. the v1.0.3705 directory is v1.0, v1.1.4322 is v1.1

    2. I’m not sure about errors installing the framework. You can file a bug report via the Product Feeback Center (http://lab.msdn.microsoft.com/productfeedback/), or by calling PSS directly (http://www.microsoft.com/support).

    3. Not sure if this is relevant to your case, but the only way that v1.0 and 1.1 of the CLR will work on an Athlon 64 is if it is running in 32 bit mode. .NET will not support 64 bit operation until v2.0.

    -Shawn

  16. xgman says:

    yes 32 bit mode, but my A64 box is the only one that it won’t install on. Seems like enough people are having the same install error issues for MS to figure out what’s hanging it up.

    I sent a bug report referencing this thread as well.

  17. Andy says:

    It appears that while this is a "Critical Update," it isn’t being pushed by automatic updates. Can you confirm if that is the case?

    I’m concerned because our entire network is loaded with .NET dependent software, which is broken by the fixes applied to 1.0 SP3. So far we have had no problems except on machines where the update was manually applied via the windowsupdate site.

    Granted, for a business our size (150+ employees, 200+ workstations) we should consider completely turning off the automatic updates and implement our own patch-management solution.

  18. Don Streng says:

    Is XPe advertised as just like XP Pro, but then when updates are done for .NET stuff etc… XPe is never listed as supported even though in theory it should be the same as XP Pro. I tried to install the .NET 1.1 SP1 but it says that the program to be updated is missing.

    In the C:WindowsMicrosoft.NETFramework folder I have some sub folders labelled v.1.0.3705 and v1.1.4322 so it looks to me like I’ve got the stuff installed. What’s the update looking for?

    A useful error message with info. about exactly what it wants would be helpful. Anyone have a clue?

  19. DHARMALINGAM says:

    Registered JIT debugger not available