Package "dotnet8"

  dotnet8 (8.0.112-8.0.12-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2094272).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * Unified source build transition. The debian source tree for dotnet*
    source packages is now build from a common source (see also:
    https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
    - d/rules: Refactored; the same file is now used by
      all dotnet* source packages. A major change is the use of substvars.
    - d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
    - d/eng/dotnet-pkg-info.mk: Added to provide common information and
      functionality for all dotnet* source packages. Is used by d/rules.
    - Removed .in file extension from the files
      d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
    - d/eng/build-dotnet-tarball.sh: Removed.
    - d/eng/source_build_artifact_path.py, d/eng/versionlib,
      d/tests/regular-tests: Updated; includes bug-fixes from
      other dotnet* source packages.
    - d/patches: Renamed patch files to uniquely identify patches among all
      dotnet* source packages.
  * d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
    comply with Apache-2.0 paragraph 4 section (d).
  * d/control:
    - Alphabetically sorted Build-Depends.
    - Added tree to Build-Depends for debugging purposes.
    - Fixed descriptions with invalid control statements
      (lines containing a space, a full stop and some more characters)
      to comply with Section 5.6.13 in the Debian Policy Manual.
    - Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
      dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
  * d/copyright:
    - Refresh copyright info.
    - Add LGPL-2.1 license text.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * lintian overrides:
    - Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
      The long file name is unavoidable.
    - Silenced FO127 related lintian warning
      hyphen-in-upstream-part-of-debian-changelog-version.
    - Silenced manpage troff warnings. Troff complains that it is silly that the
      dotnet8 manpages select a monospace font on a terminal output that only
      supports monospace fonts.

 -- Dominik Viererbe <email address hidden> Wed, 15 Jan 2025 20:11:26 +0200

  dotnet8 (8.0.111-8.0.11-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2087882)

 -- Dominik Viererbe <email address hidden> Fri, 08 Nov 2024 18:16:21 +0200

  dotnet8 (8.0.110-8.0.10-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2024-38229: Kestrel http/3 - When closing an HTTP/3 stream while
      application code is writing to the response body, a race condition may
      lead to remote code execution.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43483: Multiple .NET components designed to process hostile
      input are susceptible to hash flooding attacks.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43484: System.IO.Packaging - Multiple DoS vectors in use of
      SortedList.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43485: Denial of Service attack against System.Text.Json
      ExtensionData feature.

 -- Ian Constantin <email address hidden> Wed, 02 Oct 2024 09:54:18 +0300

  dotnet8 (8.0.108-8.0.8-0ubuntu1~24.04.2) noble; urgency=medium

  * Add ppc64el as a supported architecture (LP: #2075185).
    - d/control, d/rules: Add ppc64el as a supported architecture.
    - d/eng/versionlib/dotnet.py: Add ppc64le to ArchitectureIdentifier.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: Fix ppc64el FTBFS by
    disabling usage of AppHost in roslyn-analyzers PerformanceTests project.
  * d/p/0003-vstest-intent-net8.0.patch: Fix ppc64el FTBFS by changing the
    vstest Intent test project TFM to net8.0.
  * d/t/regular-tests/release-version-sane/VersionTest.cs: Fix test failure
    by defining a sane release version as less than or equal to current.
  * d/eng/test-runner: Update test runner to latest version (v1.1.0) to fix
    autopkgtest failure in ppc64el.

 -- Mateus Rodrigues de Morais <email address hidden> Tue, 13 Aug 2024 18:58:38 -0300

  dotnet8 (8.0.108-8.0.8-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: information disclosure
    - CVE-2024-38167: information disclosure vulnerability in TlsStream.
  * debian/eng/build-dotnet-tarball.sh: SECURITY_PARTNERS_REPOSITORY
    connection method updated.

 -- Ian Constantin <email address hidden> Fri, 09 Aug 2024 09:43:27 +0300