Package "dotnet8"

  dotnet8 (8.0.126-8.0.26-0ubuntu1~22.04.1) jammy-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-33116: Possible denial of service via infinite recursion in
      XmlDecryptionTransform.
  * SECURITY UPDATE: denial of service
    - CVE-2026-32203: Possible denial of service via stack overflow in
      EncryptedKey nested decryption.
  * SECURITY UPDATE: remote code execution
    - CVE-2026-32178: SMTP command injection and header injection via
      MailAddress parsing flaw in System.Net.Mail.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-26171: denial of service and security feature bypass via unsafe
      transforms in EncryptedXml.

 -- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000

  dotnet8 (8.0.125-8.0.25-0ubuntu1~22.04.1) jammy-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-26130: Possible denial-of-service via SignalR stateful
      reconnect buffer overfill.

 -- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:24:10 +0200

  dotnet8 (8.0.124-8.0.24-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: refreshed patch to fix
    hunk failure.

 -- Mateus Rodrigues de Morais <email address hidden> Mon, 02 Feb 2026 17:30:30 -0300

  dotnet8 (8.0.121-8.0.21-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-55247: A vulnerability exists in .NET Core where predictable
      paths for MSBuild's temporary directories on Linux let another user
      create the directories ahead of MSBuild, leading to DoS of builds.
  * SECURITY UPDATE: validation bypass
    - CVE-2025-55315: Inconsistent interpretation of http requests
      ('http request/response smuggling') in ASP.NET Core allows an authorized
      attacker to bypass a security feature over a network.
  * SECURITY UPDATE: information disclosure
    - CVE-2025-55248: MITM (man in the middle) attacker may prevent use of TLS
      between client and SMTP server, forcing client to send data over
      unencrypted connection.
  * eng/test-runner: sync changes with upstream
  * tests/control, tests/regular-tests: sync changes with upstream
  * debian/rules: use release.json manifest instead of legacy text file

 -- Dominik Viererbe <email address hidden> Wed, 08 Oct 2025 13:49:14 +0300

  dotnet8 (8.0.117-8.0.17-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious.

 -- Dominik Viererbe <email address hidden> Mon, 09 Jun 2025 12:16:30 +0300