Package "dotnet8"

  dotnet8 (8.0.112-8.0.12-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2094272).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * Unified source build transition. The debian source tree for dotnet*
    source packages is now build from a common source (see also:
    https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
    - d/rules: Refactored; the same file is now used by
      all dotnet* source packages. A major change is the use of substvars.
    - d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
    - d/eng/dotnet-pkg-info.mk: Added to provide common information and
      functionality for all dotnet* source packages. Is used by d/rules.
    - Removed .in file extension from the files
      d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
    - d/eng/build-dotnet-tarball.sh: Removed.
    - d/eng/source_build_artifact_path.py, d/eng/versionlib,
      d/tests/regular-tests: Updated; includes bug-fixes from
      other dotnet* source packages.
    - d/patches: Renamed patch files to uniquely identify patches among all
      dotnet* source packages.
  * Removed fix-clang19-build.patch; backported upstream.
  * d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
    comply with Apache-2.0 paragraph 4 section (d).
  * d/control:
    - Alphabetically sorted Build-Depends.
    - Added tree to Build-Depends for debugging purposes.
    - Fixed descriptions with invalid control statements
      (lines containing a space, a full stop and some more characters)
      to comply with Section 5.6.13 in the Debian Policy Manual.
    - Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
      dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
  * d/copyright:
    - Refresh copyright info.
    - Add LGPL-2.1 license text.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * lintian overrides:
    - Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
      The long file name is unavoidable.
    - Silenced FO127 related lintian warning
      hyphen-in-upstream-part-of-debian-changelog-version.
    - Silenced manpage troff warnings. Troff complains that it is silly that the
      dotnet8 manpages select a monospace font on a terminal output that only
      supports monospace fonts.

 -- Dominik Viererbe <email address hidden> Wed, 15 Jan 2025 20:11:26 +0200