Hopefully someone can help with this.
Since the initial .Net 4.8 Framework release, there are a number of vulnerabilities reported that were fixed by Microsoft and are available as security updates on Windows Update or as cumulative updates.
My question is related however with the strategy for delivering and documenting the fixed vulnerabilities within the offline installer. If I download the offline installer today, I will get the version 4.8.0 Build 4115 installed (which is the latest released one as far as I am aware). This differs is newer than the version that one would have gotten if one downloaded the offline installer say end of last year.
My expectation would be that security relevant fixes are included in the new version, so if installing from the offline installer today on a system where no .Net 4.8 was previously installed, then the security updates are already installed by the installer and they should no longer be offered over Windows Update. Is this the case?
In general I am also searching for a location where the build number a certain vulnerability was fixed in is documented.
Starting from an example: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-0646, no information on build the issue is first fixed for 4.8 can be obtained (i.e. even if navigating to the KB article for a given platform (let's say Win 10/.Net 4.8).