All WIndows deployers on IIS should review the advisory and should update to this release at the earliest opportunity.
Note that in fixing this bug in the SP, a very serious vulnerability in Microsoft’s Default Document module was exposed that causes cross-contamination of requests, where a previous request’s internal state affects the state of the following request for the default document. This manifests by exposing duplicated attribute data because the SP is appending one copy of the data to a previous copy it created already.
This can be worked around in most cases by setting
exportDuplicateValues="false" for the affected content, but some duplicated data from the built-in variables set by the SP still exist even with this option.
184.108.40.206 (May 26, 2021)
A new version of the Windows installer was released updating libcurl to the latest releases to address a security advisory fixed in curl 7.77.0.