UbuntuUpdates.org

Package "dotnet8"

Name: dotnet8

Description:

.NET CLI tools and runtime
Latest version: 8.0.126-8.0.26-0ubuntu1~25.10.1
Release: questing (25.10)
Level: security
Repository: main
Homepage: https://dot.net

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "dotnet8"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "dotnet8" in Questing

Repository Area Version
base main 8.0.120-8.0.20-0ubuntu1
base universe 8.0.20-0ubuntu1
security universe 8.0.126-0ubuntu1~25.10.1
updates main 8.0.126-8.0.26-0ubuntu1~25.10.1
updates universe 8.0.126-0ubuntu1~25.10.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.126-8.0.26-0ubuntu1~25.10.1 2026-04-15 22:08:35 UTC

  dotnet8 (8.0.126-8.0.26-0ubuntu1~25.10.1) questing-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-33116: Possible denial of service via infinite recursion in
      XmlDecryptionTransform.
  * SECURITY UPDATE: denial of service
    - CVE-2026-32203: Possible denial of service via stack overflow in
      EncryptedKey nested decryption.
  * SECURITY UPDATE: remote code execution
    - CVE-2026-32178: SMTP command injection and header injection via
      MailAddress parsing flaw in System.Net.Mail.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-26171: denial of service and security feature bypass via unsafe
      transforms in EncryptedXml.

 -- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000
Source diff to previous version
CVE-2026-33116 Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a
CVE-2026-32203 Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.
CVE-2026-32178 Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-26171 Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

Version: 8.0.125-8.0.25-0ubuntu1~25.10.1 2026-03-11 00:08:04 UTC

  dotnet8 (8.0.125-8.0.25-0ubuntu1~25.10.1) questing-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-26130: Possible denial-of-service via SignalR stateful
      reconnect buffer overfill.

 -- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:24:25 +0200
Source diff to previous version
CVE-2026-26130 Allocation of resources without limits or throttling in ASP.NET Core a ...

Version: 8.0.124-8.0.24-0ubuntu1~25.10.1 2026-02-11 05:07:49 UTC

  dotnet8 (8.0.124-8.0.24-0ubuntu1~25.10.1) questing; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: refreshed patch to fix
    hunk failure.

 -- Mateus Rodrigues de Morais <email address hidden> Mon, 02 Feb 2026 17:30:30 -0300
Source diff to previous version
CVE-2026-21218 Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.

Version: 8.0.121-8.0.21-0ubuntu1~25.10.1 2025-10-14 21:09:00 UTC

  dotnet8 (8.0.121-8.0.21-0ubuntu1~25.10.1) questing; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-55247: A vulnerability exists in .NET Core where predictable
      paths for MSBuild's temporary directories on Linux let another user
      create the directories ahead of MSBuild, leading to DoS of builds.
  * SECURITY UPDATE: validation bypass
    - CVE-2025-55315: Inconsistent interpretation of http requests
      ('http request/response smuggling') in ASP.NET Core allows an authorized
      attacker to bypass a security feature over a network.
  * SECURITY UPDATE: information disclosure
    - CVE-2025-55248: MITM (man in the middle) attacker may prevent use of TLS
      between client and SMTP server, forcing client to send data over
      unencrypted connection.
  * eng/test-runner: sync changes with upstream
  * tests/control, tests/regular-tests: sync changes with upstream
  * debian/rules: use release.json manifest instead of legacy text file

 -- Dominik Viererbe <email address hidden> Wed, 08 Oct 2025 13:49:14 +0300
CVE-2025-55247 Improper link resolution before file access ('link following') in .NET ...
CVE-2025-55315 Inconsistent interpretation of http requests ('http request/response s ...
CVE-2025-55248 Inadequate encryption strength in .NET, .NET Framework, Visual Studio ...


About   -   Send Feedback to @ubuntu_updates