Yesterday, we are released the January 2022 Security and Quality Rollup Updates for .NET Framework.
Security
CVE-2022-21911 – .NET Framework Denial of Service
This security update addresses an issue where an unauthenticated attacker could cause a denial of service on an affected system.
Quality and Reliability
This release contains the following quality and reliability improvements.
SQL Connectivity
- nder certain error cases caused due to NullReferenceException thrown while populating SqlParameter values using customer provided delegates, the SqlClient driver may not cleanup the state of connection state. The connection in bad state, can make its way into the connection pool and may be picked up for reuse causing unexpected failures on the connection. If such a condition is recognized, an AppContext Switch “Switch.System.Data.SqlClient.CleanupParserOnAllFailures”, may be enabled to clean up connections on any kind of failures even while running into errors with delegates.
WCF1
- Addresses a failure to correctly timeout a failed request when making an asynchronous WCF call over HTTP. If the service has sent a partial response message and fails to send the remainder of the response, the client may not fail the call after the configured timeout.
WPF2
- Addresses an issue where WPF does not respond to touch if the WPF window was activated by a touch manipulation (e.g. swiping a listbox).
- Adds a mitigation for an issue involving tearing, flickering, or incorrect composition of visual content under high GPU-load conditions.
- Addresses an issue where the extra information associated with a WM_KEYDOWN message is discarded before the handlers for the PreviewKeyDown or KeyDown events can retrieve it via GetMessageExtraInfo.
- Addresses an issue where AutomationElement.FindFirst or FindAll do not search the subtree of an hwnd whose UIA_WindowVisibilityOverridden property is set to 1.
- Addresses an issue where a binding on TextBox.Text with UpdateSourceTrigger=PropertyChanged produces incorrect results when the Microsoft Quick IME is used.
1 Windows Communication Foundation (WCF) 2 Windows Presentation Foundation (WPF)
Getting the Update
The Security and Quality Rollup is available via Windows Update, Windows Server Update Services, and Microsoft Update Catalog. The Security Only Update is available via Windows Server Update Services and Microsoft Update Catalog.
Microsoft Update Catalog
You can get the update via the Microsoft Update Catalog. For Windows 10, NET Framework 4.8 updates are available via Windows Update, Windows Server Update Services, Microsoft Update Catalog. Updates for other versions of .NET Framework are part of the Windows 10 Monthly Cumulative Update.
**Note**: Customers that rely on Windows Update and Windows Server Update Services will automatically receive the .NET Framework version-specific updates. Advanced system administrators can also take use of the below direct Microsoft Update Catalog download links to .NET Framework-specific updates. Before applying these updates, please ensure that you carefully review the .NET Framework version applicability, to ensure that you only install updates on systems where they apply.
The following table is for Windows 10 and Windows Server 2016+ versions.
Product Version | Cumulative Update | |
---|---|---|
Windows 11 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008880 |
Microsoft server operating systems version 21H2 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008882 |
Windows 10 21H2 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008876 |
Windows 10 21H1 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008876 |
Windows 10, version 20H2 and Windows Server, version 20H2 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008876 |
Windows 10 1909 | ||
.NET Framework 3.5, 4.8 | Catalog | 5008879 |
Windows 10 1809 (October 2018 Update) and Windows Server 2019 | 5009718 | |
.NET Framework 3.5, 4.7.2 | Catalog | 5008873 |
.NET Framework 3.5, 4.8 | Catalog | 5008878 |
Windows 10 1607 (Anniversary Update) and Windows Server 2016 | ||
.NET Framework 3.5, 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5009546 |
.NET Framework 4.8 | Catalog | 5008877 |
Windows 10 1507 | ||
.NET Framework 3.5, 4.6, 4.6.1, 4.6.2 | Catalog | 5009585 |
The following table is for earlier Windows and Windows Server versions.
Product Version | Security and Quality Rollup | Security Only Update | ||
---|---|---|---|---|
Windows 8.1, Windows RT 8.1 and Windows Server 2012 R2 | 5009721 | 5009713 | ||
.NET Framework 3.5 | Catalog | 5008868 | Catalog | 5008891 |
.NET Framework 4.5.2 | Catalog | 5008870 | Catalog | 5008893 |
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5008875 | Catalog | 5008895 |
.NET Framework 4.8 | Catalog | 5008883 | Catalog | 5008897 |
Windows Server 2012 | 5009720 | 5009712 | ||
.NET Framework 3.5 | Catalog | 5008865 | Catalog | 5008888 |
.NET Framework 4.5.2 | Catalog | 5008869 | Catalog | 5008892 |
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5008874 | Catalog | 5008894 |
.NET Framework 4.8 | Catalog | 5008881 | Catalog | 5008896 |
Windows 7 SP1 and Windows Server 2008 R2 SP1 | 5009719 | 5009711 | ||
.NET Framework 3.5.1 | Catalog | 5008867 | Catalog | 5008890 |
.NET Framework 4.5.2 | Catalog | 5008860 | Catalog | 5008887 |
.NET Framework 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 | Catalog | 5008859 | Catalog | 5008886 |
.NET Framework 4.8 | Catalog | 5008858 | Catalog | 5008885 |
Windows Server 2008 | 5009722 | 5009714 | ||
.NET Framework 2.0, 3.0 | Catalog | 5008866 | Catalog | 5008889 |
.NET Framework 4.5.2 | Catalog | 5008860 | Catalog | 5008887 |
.NET Framework 4.6 | Catalog | 5008859 | Catalog | 5008886 |
Previous Monthly Rollups
The last few .NET Framework Monthly updates are listed below for your convenience:
Did Microsoft.Data.SqlClient have the same NullReferenceException bug as System.Data.SqlClient?
Typo in the “SQL Connectivity” section – you’re missing the “U” from “nder certain …”.
.NET 3.5 updates for Windows 8.1 (both rollup 5008868 and security only 5008891) are malformed, they are not applicable or installable
not that i fully understand the internal structure of components servicing, but comparing with other updates, it seems those two are built as dual branch GDR/LDR, but they only include one branch
updateComponent elevate="revision"
the issue only affect those two updates, all other .NET updates for Windows 8.1 - 7 are good