Package "dotnet8"

  dotnet8 (8.0.121-8.0.21-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-55247: A vulnerability exists in .NET Core where predictable
      paths for MSBuild's temporary directories on Linux let another user
      create the directories ahead of MSBuild, leading to DoS of builds.
  * SECURITY UPDATE: validation bypass
    - CVE-2025-55315: Inconsistent interpretation of http requests
      ('http request/response smuggling') in ASP.NET Core allows an authorized
      attacker to bypass a security feature over a network.
  * SECURITY UPDATE: information disclosure
    - CVE-2025-55248: MITM (man in the middle) attacker may prevent use of TLS
      between client and SMTP server, forcing client to send data over
      unencrypted connection.
  * eng/test-runner: sync changes with upstream
  * tests/control, tests/regular-tests: sync changes with upstream
  * debian/rules: use release.json manifest instead of legacy text file

 -- Dominik Viererbe <email address hidden> Wed, 08 Oct 2025 13:49:14 +0300

  dotnet8 (8.0.117-8.0.17-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious.

 -- Dominik Viererbe <email address hidden> Mon, 09 Jun 2025 12:16:30 +0300

  dotnet8 (8.0.116-8.0.16-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <email address hidden> Tue, 06 May 2025 13:59:06 +0300

  dotnet8 (8.0.115-8.0.15-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <email address hidden> Fri, 04 Apr 2025 12:32:57 +0300

  dotnet8 (8.0.114-8.0.14-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2101028)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Suggests dotnet-runtime-dbg-8.0 from dotnet8 to dotnet-runtime-8.0
    - moved Suggests aspnetcore-runtime-dbg-8.0 from dotnet8 to aspnetcore-runtime-8.0
    - moved Suggests dotnet-sdk-dbg-8.0 from dotnet8 to dotnet-sdk-8.0

 -- Dominik Viererbe <email address hidden> Thu, 06 Mar 2025 11:24:30 +0200