Package "dotnet8"

  dotnet8 (8.0.112-8.0.12-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2094272).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * Unified source build transition. The debian source tree for dotnet*
    source packages is now build from a common source (see also:
    https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
    - d/rules: Refactored; the same file is now used by
      all dotnet* source packages. A major change is the use of substvars.
    - d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
    - d/eng/dotnet-pkg-info.mk: Added to provide common information and
      functionality for all dotnet* source packages. Is used by d/rules.
    - Removed .in file extension from the files
      d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
    - d/eng/build-dotnet-tarball.sh: Removed.
    - d/eng/source_build_artifact_path.py, d/eng/versionlib,
      d/tests/regular-tests: Updated; includes bug-fixes from
      other dotnet* source packages.
    - d/patches: Renamed patch files to uniquely identify patches among all
      dotnet* source packages.
  * d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
    comply with Apache-2.0 paragraph 4 section (d).
  * d/control:
    - Alphabetically sorted Build-Depends.
    - Added tree to Build-Depends for debugging purposes.
    - Fixed descriptions with invalid control statements
      (lines containing a space, a full stop and some more characters)
      to comply with Section 5.6.13 in the Debian Policy Manual.
    - Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
      dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
  * d/copyright:
    - Refresh copyright info.
    - Add LGPL-2.1 license text.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * lintian overrides:
    - Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
      The long file name is unavoidable.
    - Silenced FO127 related lintian warning
      hyphen-in-upstream-part-of-debian-changelog-version.
    - Silenced manpage troff warnings. Troff complains that it is silly that the
      dotnet8 manpages select a monospace font on a terminal output that only
      supports monospace fonts.

 -- Dominik Viererbe <email address hidden> Wed, 15 Jan 2025 20:11:26 +0200

  dotnet8 (8.0.111-8.0.11-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2087882)

 -- Dominik Viererbe <email address hidden> Fri, 08 Nov 2024 18:16:21 +0200

  dotnet8 (8.0.110-8.0.10-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2024-38229: Kestrel http/3 - When closing an HTTP/3 stream while
      application code is writing to the response body, a race condition may
      lead to remote code execution.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43483: Multiple .NET components designed to process hostile
      input are susceptible to hash flooding attacks.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43484: System.IO.Packaging - Multiple DoS vectors in use of
      SortedList.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43485: Denial of Service attack against System.Text.Json
      ExtensionData feature.

 -- Ian Constantin <email address hidden> Wed, 02 Oct 2024 09:54:14 +0300

  dotnet8 (8.0.108-8.0.8-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: information disclosure
    - CVE-2024-38167: information disclosure vulnerability in TlsStream.

 -- Ian Constantin <email address hidden> Thu, 08 Aug 2024 16:43:10 +0300

  dotnet8 (8.0.107-8.0.7-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-30105: Denial of service vulnerability in System.Text.Json
      deserialization.
  * SECURITY UPDATE: denial of service
    - CVE-2024-35264: Denial of service in ASP.NET Core 8.
  * SECURITY UPDATE: denial of service
    - CVE-2024-38095: Denial of service in parsing X.509 Content and
      ObjectIdentifiers.
  * debian/eng/build-dotnet-tarball.sh: SECURITY_PARTNERS_REPOSITORY
    connection method updated.

 -- Ian Constantin <email address hidden> Tue, 02 Jul 2024 11:56:00 +0300