Package "dotnet8"

  dotnet8 (8.0.127-8.0.27-0ubuntu1~24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - CVE-2026-42899: Loop with unreachable exit condition ('infinite loop')
      in ASP.NET Core allows an unauthorized attacker to deny service over a
      network.

  [ Mateus Rodrigues de Morais ]
  * New upstream release (LP: #2152591)
  * d/t/regular-tests/check-test-results: match to any NU1102 error
    occurrences when ignoring package not found restore errors.
  * d/t/regular-tests/template-test/test.json: increment timeout multiplier to
    avoid timeout errors when running on the autopkgtest cloud.
  * d/t/regular-tests/tools-in-path/test.json: skip test when running on the
    toolchains-ci CI pipeline.
  * d/t/run-regular-tests: define environment variable to selectively add the
    'toolchains-ci' trait to the test runner.

 -- Ian Constantin <email address hidden> Fri, 22 May 2026 17:45:46 +0300

  dotnet8 (8.0.126-8.0.26-0ubuntu1~24.04.1) noble-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-33116: Possible denial of service via infinite recursion in
      XmlDecryptionTransform.
  * SECURITY UPDATE: denial of service
    - CVE-2026-32203: Possible denial of service via stack overflow in
      EncryptedKey nested decryption.
  * SECURITY UPDATE: remote code execution
    - CVE-2026-32178: SMTP command injection and header injection via
      MailAddress parsing flaw in System.Net.Mail.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-26171: denial of service and security feature bypass via unsafe
      transforms in EncryptedXml.

 -- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000

  dotnet8 (8.0.125-8.0.25-0ubuntu1~24.04.1) noble-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-26130: Possible denial-of-service via SignalR stateful
      reconnect buffer overfill.

 -- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:24:23 +0200

  dotnet8 (8.0.124-8.0.24-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: refreshed patch to fix
    hunk failure.

 -- Mateus Rodrigues de Morais <email address hidden> Mon, 02 Feb 2026 17:30:30 -0300

  dotnet8 (8.0.123-8.0.23-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2138326)
  * d/t/regular-tests: synced with upstream.
    - Removed release-version-sane test following upstream.
    - Removed unnecessary files from source tree.
    - cgroup-limit/test.sh: fix autopkgtest regression in Ubuntu releases with
      rust-coreutils by comparing the cgroup filesystem ID instead of friendly
      name.
  * d/t/run-regular-tests: fixed test username typo.
  * d/rules: cleaned up trailing spaces.
  * d/eng/test-runner: removed unnecessary files from source tree.

 -- Mateus Rodrigues de Morais <email address hidden> Tue, 20 Jan 2026 11:23:58 -0300