UbuntuUpdates.org

Package "dotnet9"

Name: dotnet9

Description:

.NET CLI tools and runtime
Latest version: 9.0.116-9.0.15-0ubuntu1~25.10.1
Release: questing (25.10)
Level: updates
Repository: universe
Homepage: https://dot.net

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "dotnet9"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "dotnet9" in Questing

Repository Area Version
base universe 9.0.110-9.0.9-0ubuntu1
security universe 9.0.116-9.0.15-0ubuntu1~25.10.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.116-9.0.15-0ubuntu1~25.10.1 2026-04-15 23:08:26 UTC

  dotnet9 (9.0.116-9.0.15-0ubuntu1~25.10.1) questing-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-33116: Possible denial of service via infinite recursion in
      XmlDecryptionTransform.
  * SECURITY UPDATE: denial of service
    - CVE-2026-32203: Possible denial of service via stack overflow in
      EncryptedKey nested decryption.
  * SECURITY UPDATE: remote code execution
    - CVE-2026-32178: SMTP command injection and header injection via
      MailAddress parsing flaw in System.Net.Mail.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-26171: denial of service and security feature bypass via unsafe
      transforms in EncryptedXml.

 -- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000
Source diff to previous version
CVE-2026-33116 Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a
CVE-2026-32203 Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.
CVE-2026-32178 Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-26171 Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

Version: 9.0.115-9.0.14-0ubuntu1~25.10.1 2026-03-11 07:08:05 UTC

  dotnet9 (9.0.115-9.0.14-0ubuntu1~25.10.1) questing-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-26130: Possible denial-of-service via SignalR stateful
      reconnect buffer overfill.
  * SECURITY UPDATE: denial of service
    - CVE-2026-26127: System.Buffers.Text.Base64Url.DecodeFromChars
      out-of-bounds read from malformed Base64Url input. A bug in the
      implementation causes out-of-bound reads of the DecodingMap, potentially
      leading to Access Violation Exceptions (AVEs) when unsafe code is used.

 -- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:28:24 +0200
Source diff to previous version
CVE-2026-26130 Allocation of resources without limits or throttling in ASP.NET Core a ...
CVE-2026-26127 Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Version: 9.0.114-9.0.13-0ubuntu1~25.10.1 2026-02-11 11:07:50 UTC

  dotnet9 (9.0.114-9.0.13-0ubuntu1~25.10.1) questing; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: refreshed patch to fix
    hunk failure.

 -- Mateus Rodrigues de Morais <email address hidden> Mon, 02 Feb 2026 17:30:30 -0300
Source diff to previous version
CVE-2026-21218 Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.

Version: 9.0.113-9.0.12-0ubuntu1~25.10.1 2026-02-11 04:07:53 UTC

  dotnet9 (9.0.113-9.0.12-0ubuntu1~25.10.1) questing; urgency=medium

  * New upstream release (LP: #2138931)
  * d/t/regular-tests: synced with upstream.
    - Removed release-version-sane test following upstream.
    - Removed unnecessary files from source tree.
    - cgroup-limit/test.sh: fix autopkgtest regression in Ubuntu releases with
      rust-coreutils by comparing the cgroup filesystem ID instead of friendly
      name.
  * d/t/run-regular-tests: fixed test username typo.
  * d/rules: cleaned up trailing spaces.
  * d/eng/test-runner: removed unnecessary files from source tree.

 -- Mateus Rodrigues de Morais <email address hidden> Tue, 20 Jan 2026 11:23:58 -0300
Source diff to previous version
2138931 [SRU] New upstream microrelease .NET 9.0.113/9.0.12

Version: 9.0.112-9.0.11-0ubuntu1~25.10.1 2025-12-09 18:32:59 UTC

  dotnet9 (9.0.112-9.0.11-0ubuntu1~25.10.1) questing; urgency=medium

  * New upstream release (LP: #2130894)
  * d/{sdk-check-config.json,rules}: `dotnet sdk check` tool points to
    Canonical's release database.
  * d/t/regular-tests: synced with upstream to fix failing tests and add new
    ones for .NET 10.

 -- Mateus Rodrigues de Morais <email address hidden> Fri, 07 Nov 2025 17:01:22 +0100
2130894 [SRU] New upstream microrelease .NET 9.0.112/9.0.11


About   -   Send Feedback to @ubuntu_updates