Package "dotnet8"

  dotnet8 (8.0.124-8.0.24-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: refreshed patch to fix
    hunk failure.

 -- Mateus Rodrigues de Morais <email address hidden> Mon, 02 Feb 2026 17:30:30 -0300

  dotnet8 (8.0.121-8.0.21-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-55247: A vulnerability exists in .NET Core where predictable
      paths for MSBuild's temporary directories on Linux let another user
      create the directories ahead of MSBuild, leading to DoS of builds.
  * SECURITY UPDATE: validation bypass
    - CVE-2025-55315: Inconsistent interpretation of http requests
      ('http request/response smuggling') in ASP.NET Core allows an authorized
      attacker to bypass a security feature over a network.
  * SECURITY UPDATE: information disclosure
    - CVE-2025-55248: MITM (man in the middle) attacker may prevent use of TLS
      between client and SMTP server, forcing client to send data over
      unencrypted connection.
  * eng/test-runner: sync changes with upstream
  * tests/control, tests/regular-tests: sync changes with upstream
  * debian/rules: use release.json manifest instead of legacy text file

 -- Dominik Viererbe <email address hidden> Wed, 08 Oct 2025 13:49:14 +0300

  dotnet8 (8.0.117-8.0.17-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious.

 -- Dominik Viererbe <email address hidden> Mon, 09 Jun 2025 12:16:30 +0300

  dotnet8 (8.0.116-8.0.16-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <email address hidden> Tue, 06 May 2025 13:59:06 +0300

  dotnet8 (8.0.115-8.0.15-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <email address hidden> Fri, 04 Apr 2025 12:32:57 +0300