-
dotnet7 (7.0.119-0ubuntu1~23.10.1) mantic-security; urgency=medium
* New upstream release
* SECURITY UPDATE: stack buffer overflow
- CVE-2024-30045: a stack based buffer overflow in the .NET Double Parse
routine allows for remote code execution.
* SECURITY UPDATE: resource dead-lock
- CVE-2024-30046: a dead-lock in Http2OutputProducer.Stop() results in a
denial of service.
-- Ian Constantin <email address hidden> Thu, 09 May 2024 15:47:33 +0300
-
dotnet7 (7.0.118-0ubuntu1~23.10.1) mantic; urgency=medium
* New upstream release (LP: #2060260).
* debian/README.source: Update support information (LP: #2058746).
* debian/eng/versionlib: Add support for '+really' and '~bootstrap+ARCH'
in version string.
* debian/tests/versionlib-tests: Add versionlib unit tests
- debian/tests/run-versionlib-tests.sh: script to run the tests
-- Dominik Viererbe <email address hidden> Fri, 05 Apr 2024 05:17:02 +0300
-
dotnet7 (7.0.117-0ubuntu1~23.10.2) mantic; urgency=medium
* Add ca-certificates to dotnet-sdk-7.0 depends (LP: #2057982).
* Replace debian/tests:
- Add debian/tests/01_regular-tests & debian/tests/regular-tests
(testcases files; included version of:
https://github.com/canonical/dotnet-regular-tests/).
- Add debian/tests/build-time-tests
* debian/rules: Added override_dh_auto_test; runs d/t/build-time-tests
* debian/copyright: Update debian/ copyright information
* debian/eng: Added directory for scripts & libraries used within the package:
- Add debian/eng/test-runner (executes debian/tests/regular-tests testcases;
included version of: https://github.com/canonical/dotnet-test-runner).
- Added debian/eng/versionlib (.NET version parsing library; used by
debian/tests).
- Added debian/eng/strenum; needed by debian/eng/versionlib
- Added debian/eng/dotnet-version.py; needed by debian/tests/01_regular-tests
- Moved debian/failing-watchfile-script.sh and debian/build-dotnet-tarball.sh
to debian/eng
-- Dominik Viererbe <email address hidden> Mon, 18 Mar 2024 14:25:37 +0200
-
dotnet7 (7.0.117-0ubuntu1~23.10.1) mantic-security; urgency=medium
* New upstream release
* SECURITY UPDATE: denial of service
- CVE-2024-21392: DoS in .NET Core / YARP HTTP / 2 WebSocket support.
-- Ian Constantin <email address hidden> Fri, 08 Mar 2024 10:35:31 +0200
-
dotnet7 (7.0.116-0ubuntu1~23.10.1) mantic-security; urgency=medium
* New upstream release
* SECURITY UPDATE: denial of service
- CVE-2024-21386: denial of service vector in SignalR server.
* SECURITY UPDATE: denial of service
- CVE-2024-21404: .NET with OpenSSL support is vulnerable to a denial of
service when parsing X509 certificates.
-- Ian Constantin <email address hidden> Thu, 08 Feb 2024 13:54:58 +0200
-
dotnet7 (7.0.115-0ubuntu1~23.10.1) mantic-security; urgency=medium
* New upstream release
* SECURITY UPDATE: validation bypass
- CVE-2024-0057: X509 Certificates - validation bypass across Azure
* SECURITY UPDATE: denial of service
- CVE-2024-21319: Azure Identity - Pre-Authentication DoS in JWT
-- Ian Constantin <email address hidden> Sat, 06 Jan 2024 18:09:54 +0200
-
dotnet7 (7.0.114-0ubuntu1~23.10.1) mantic-security; urgency=medium
[ Nishit Majithia ]
* New upstream release
* SECURITY UPDATE: security feature bypass
- CVE-2023-36558: Security Feature Bypass in Blazor forms
* SECURITY UPDATE: Arbitrary File Write and Deletion
- CVE-2023-36049: Microsoft .NET FormatFtpCommand CRLF Injection
Arbitrary File Write and Deletion
-- Ian Constantin <email address hidden> Mon, 13 Nov 2023 16:08:21 +0200
-
dotnet7 (7.0.113-0ubuntu1~23.10.1) mantic-security; urgency=medium
* New upstream release
* SECURITY REGRESSION: regression update (LP: #2040208)
- Addresses a regression previously introduced by the fix for
CVE-2023-36799.
-- Ian Constantin <email address hidden> Tue, 24 Oct 2023 10:53:54 +0300
-
dotnet7 (7.0.112-0ubuntu1) mantic-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: denial of service
- CVE-2023-44487: Denial of service - Kestrel server.
* SECURITY UPDATE: denial of service
- CVE-2023-36799: A vulnerability exists in .NET when processing X.509
certificates that may result in Denial of Service.
* debian/tests/cli-metadata-should-be-correct: updated regex for the Host
Runtime Version check.
* debian/rules: strip away -fstack-clash-protection flag and set
-mbranch-protection=bti for arm64.
-- Ian Constantin <email address hidden> Wed, 18 Oct 2023 16:22:12 +0300
-
dotnet7 (7.0.110-0ubuntu1) mantic; urgency=medium
* New upstream release.
* SECURITY UPDATE: remote code exection
- CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
add), dotnet attempts to locate and initiate a new process using
cmd.exe. However, it prioritizes searching for cmd.exe in the current
working directory (CWD) before checking other locations. This can
potentially lead to the execution of malicious code.
* SECURITY UPDATE: denial of service
- CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
leak. A malicious QUIC client, that fires off many unidirectional
streams with closed writing sides. This will bypass the HTTP/3 stream
limit and Kestrel cannot keep up with stream processing.
* SECURITY UPDATE: denial of service
- CVE-2023-38180: Kestrel vulnerability to slow read attacks.
-- Ian Constantin <email address hidden> Thu, 03 Aug 2023 08:15:06 +0300
-
dotnet7 (7.0.109-0ubuntu2) mantic; urgency=medium
* d/README.source: updated content
* replaced .NET 6 references (LP: #2009864)
* added support documentation
* added end of life process documentation
* general overhaul
* d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
* d/t/essential-binaries-and-config-files-should-be-present:
remove check if DOTNET_ROOT is set
* d/watch
* updated matching-pattern to only match 7.0.1XX releases
* d/watch file will fail now deliberately. See comment in d/watch
for more information
* unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
updated command line interface
-- Dominik Viererbe <email address hidden> Wed, 26 Jul 2023 23:11:29 +0300
-
dotnet7 (7.0.109-0ubuntu1) mantic; urgency=medium
* New upstream release.
* SECURITY UPDATE: security feature bypass
- CVE-2023-33170: Race Condition in ASP.NET Core SignInManager<TUser>
PasswordSignInAsync Method.
-- Ian Constantin <email address hidden> Thu, 06 Jul 2023 11:16:21 +0300
-
dotnet7 (7.0.108-0ubuntu2) mantic; urgency=medium
* d/t/control: enabled test dotnet-runtime-json-contains-ubuntu-rids
* d/t/.tests.rc.d/init.sh: fixed parsing error of runtime revision number
-- Dominik Viererbe <email address hidden> Fri, 30 Jun 2023 12:06:34 +0300
-
dotnet7 (7.0.108-0ubuntu1) mantic; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release.
- Fixes regression that was introduced with the bugfix for CVE-2023-29331:
Loading null-password-encrypted PFX certificates through .NET can fail
unexpectedly for certificates that previously loaded successfully.
-- Ian Constantin <email address hidden> Wed, 21 Jun 2023 16:12:33 +0300
-
dotnet7 (7.0.107-0ubuntu1) mantic; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-24936: Bypass restrictions when deserializing a DataSet or
DataTable from XML.
* SECURITY UPDATE: denial of service
- CVE-2023-29331: When a .NET application is internet-facing and accepts
an X509 client certificate for mutual TLS, a malicious client certificate
can cause unbounded CPU usage.
* SECURITY UPDATE: remote code exection
- CVE-2023-29337: A vulnerability exists in NuGet where a potential race
condition can lead to a symlink attack.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-32032: TarFile.ExtractToDirectory ignores extraction directory
argument.
* SECURITY UPDATE: remote code execution
- CVE-2023-33128: An issue in source generators can lead to a crash due to
unmanaged heap corruption.
* debian/patches/add-kinetic-rids.patch: removed due to inclusion upstream.
* debian/patches/add-mantic-rids.patch: removed due to inclusion upstream.
-- Ian Constantin <email address hidden> Fri, 02 Jun 2023 23:02:13 +0300
-
dotnet7 (7.0.105-0ubuntu3) mantic; urgency=medium
* d/p/add-mantic-rids.patch: Added RIDs for ubuntu 23.10 mantic.
* d/p/add-kinetic-rids.patch: refreshed to ab style patch
* d/t: extended autopkgtest:
* essential-binaries-and-config-files-should-be-present
* cli-metadata-should-be-correct
* global-json-should-be-detected
* console-template-should-build-and-run
* dotnet-help-should-show-output
* dotnet-project-management-cli-should-work
* example-fsharp-script-output-should-equal-expected-values
* building-hello-world-for-all-supported-rids-should-work
* dotnet-xunit-tests-should-work
* nuget-cli-should-be-able-to-consume-packages-from-nuget-gallery
* crossbuild-for-windows-x64-should-run
* dotnet6-and-dotnet7-should-work-together
-- Dominik Viererbe <email address hidden> Fri, 19 May 2023 10:31:29 +0300
-
dotnet7 (7.0.105-0ubuntu2) lunar; urgency=medium
* tests/basic-checks: updated basic version check to new dotnet version.
-- Ian Constantin <email address hidden> Wed, 12 Apr 2023 12:03:05 +0300