.NET Core July 2018 Update

Richard

July 10th, 2018

Today, we are releasing the .NET Core July 2018 Update. This update includes .NET Core 1.0.12, .NET Core 1.1.9, .NET Core 2.0.9 and .NET Core 2.1.2.

Security

.NET Core Security Feature Bypass Vulnerability

CVE-2018-8356:

Microsoft is aware of a security feature bypass vulnerability that exists when .NET Core does not correctly validate certificates. An attacker who successfully exploited this vulnerability could present an expired certificate when challenged.

The update addresses the vulnerability by correcting how .NET Core applications handle certificate validation.

ASP.NET Core Security Feature Bypass Vulnerability

CVE-2018-8171

Microsoft is aware of a security feature bypass in ASP.NET Core when the number of incorrect login attempts is not validated. An attacker who successfully exploited this vulnerability could try an infinite number of authentication attempts.

The update addresses the vulnerability by correcting how ASP.NET Core validates the number of incorrect login attempts.

ASP.NET Core Denial Of Service Vulnerability

aspnet/announcements #311

Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 2.0 and 2.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Microsoft is aware of a denial of service vulnerability in ASP.NET Core when a malformed request is terminated. An attacker who successfully exploited this vulnerability could cause a denial of service attack.

The update addresses the vulnerability by correcting how ASP.NET Core handles such requests.

The latest .NET Core updates are available on the .NET Core download page.

Today’s releases are listed as follows:

Docker Images

.NET Docker images have been updated for today’s release. The following repos have been updated.

Note: Look at the “Tags” view in each repository to see the updated Docker image tags.

Note: You must re-pull base images in order to get updates. The Docker client does not pull updates automatically.

The last few .NET Core updates follow: