-
dotnet7 (7.0.109-0ubuntu1~22.10.1) kinetic-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: security feature bypass
- CVE-2023-33170: Race Condition in ASP.NET Core SignInManager<TUser>
PasswordSignInAsync Method.
* debian/tests: introduced missing .tests.rc.d directory.
* debian/tests/control: enabled test dotnet-runtime-json-contains-ubuntu-rids.
* debian/tests/.tests.rc.d/init.sh: fixed parsing error of runtime revision
number.
-- Ian Constantin <email address hidden> Thu, 06 Jul 2023 10:59:12 +0300
-
dotnet7 (7.0.108-0ubuntu1~22.10.1) kinetic-security; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release.
- Fixes regression that was introduced with the bugfix for CVE-2023-29331:
Loading null-password-encrypted PFX certificates through .NET can fail
unexpectedly for certificates that previously loaded successfully.
[ Ian Constantin ]
* debian/tests: introducing extended autopkgtests accidentally missed in the
previous release.
-- Ian Constantin <email address hidden> Wed, 21 Jun 2023 16:12:30 +0300
-
dotnet7 (7.0.107-0ubuntu1~22.10.1) kinetic-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-24936: Bypass restrictions when deserializing a DataSet or
DataTable from XML.
* SECURITY UPDATE: denial of service
- CVE-2023-29331: When a .NET application is internet-facing and accepts
an X509 client certificate for mutual TLS, a malicious client certificate
can cause unbounded CPU usage.
* SECURITY UPDATE: remote code exection
- CVE-2023-29337: A vulnerability exists in NuGet where a potential race
condition can lead to a symlink attack.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-32032: TarFile.ExtractToDirectory ignores extraction directory
argument.
* SECURITY UPDATE: remote code execution
- CVE-2023-33128: An issue in source generators can lead to a crash due to
unmanaged heap corruption.
* debian/patches/add-kinetic-rids.patch: removed due to inclusion upstream.
[ Dominik Viererbe ]
* d/t: extended autopkgtest:
* essential-binaries-and-config-files-should-be-present
* cli-metadata-should-be-correct
* global-json-should-be-detected
* console-template-should-build-and-run
* dotnet-help-should-show-output
* dotnet-project-management-cli-should-work
* example-fsharp-script-output-should-equal-expected-values
* building-hello-world-for-all-supported-rids-should-work
* dotnet-xunit-tests-should-work
* nuget-cli-should-be-able-to-consume-packages-from-nuget-gallery
* crossbuild-for-windows-x64-should-run
* dotnet6-and-dotnet7-should-work-together
-- Ian Constantin <email address hidden> Fri, 02 Jun 2023 22:28:04 +0300
-
dotnet7 (7.0.105-0ubuntu1~22.10.1) kinetic-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-28260: AzureDevOps Elevation of Privilege - Dotnet CWD dll
hijack vuln.
-- Ian Constantin <email address hidden> Thu, 06 Apr 2023 10:24:09 +0300
-
dotnet7 (7.0.104-0ubuntu2~22.10.1) kinetic; urgency=medium
* Backport dotnet 7.0.104 to kinetic (LP: #2011809).
- debian/control: revert to libicu71
-- Dominik Viererbe <email address hidden> Wed, 22 Mar 2023 13:14:34 +0200
-
dotnet7 (7.0.103-0ubuntu1~22.10.1) kinetic; urgency=medium
* Backport 7.0.103 to kinetic (LP: #2009855).
* debian/control: revert the switch from libicu72 to libicu71.
-- Dominik Viererbe <email address hidden> Fri, 10 Mar 2023 13:29:33 +0200
-
dotnet7 (7.0.102-0ubuntu1~22.10.1) kinetic; urgency=medium
* Backport 7.0.102 to kinetic (LP: #2003691).
* d/rules: All builds use now new layout. Cleaning comments.
-- Miriam España Acebal <email address hidden> Thu, 19 Jan 2023 13:43:55 +0100
-
dotnet7 (7.0.101-0ubuntu2~22.10.1) kinetic; urgency=medium
* Backport 7.0.101 to kinetic (LP: #2003691).
* d/rules: Changed to use the new installation layout when using previous
debs for building.
-- Miriam España Acebal <email address hidden> Mon, 23 Jan 2023 13:53:15 +0000
