Package "dotnet8"
| Name: |
dotnet8
|
Description: |
.NET CLI tools and runtime
|
| Latest version: |
8.0.129-8.0.29-0ubuntu1~22.04.1 |
| Release: |
jammy (22.04) |
| Level: |
security |
| Repository: |
main |
| Homepage: |
https://dot.net |
Links
Download "dotnet8"
Other versions of "dotnet8" in Jammy
Packages in group
Deleted packages are displayed in grey.
Changelog
|
dotnet8 (8.0.129-8.0.29-0ubuntu1~22.04.1) jammy-security; urgency=medium
* New upstream release
* SECURITY UPDATE: denial of service
- CVE-2026-57108: .NET runtime - CryptoNative_GetX509NameInfo - UPN
BOOLEAN ASN.1 type-confusion DoS.
* SECURITY UPDATE:
- CVE-2026-47303: ASP.NET Core - Negotiate/LdapAdapter.cs - LDAP
identifier confusion CN vs sAMAccountName.
* SECURITY UPDATE: code injection
- CVE-2026-47300: LdapAdapter query validation fix - LDAP injection via
unvalidated filter input.
* SECURITY UPDATE: code injection
- CVE-2026-50659: System.Net.Mail - SMTP smuggling via CRLF split across
buffers.
* SECURITY UPDATE: security feature bypass
- CVE-2026-50528: System.Net.Security - additional SslStream fix (auth
bypass via ignored channel binding).
* SECURITY UPDATE: denial of service
- CVE-2026-50525: EncryptedXml/TransformChain - DoS via XML transform
chain DTD/base64 amplification.
* SECURITY UPDATE: security feature bypass
- CVE-2026-47304: EncryptedXml - XML Encryption vulnerability
(SignedXml.CheckSignature forgery via empty HMAC).
* SECURITY UPDATE: stack overflow
- CVE-2026-50527: EncryptedXml - System.Security.Cryptography.Xml.Utils -
Unauth XML triggers Type.GetType stack overflow.
* SECURITY UPDATE: denial of service
- CVE-2026-50648: EncryptedXml - XmlDecryptionTransform document-rooted
XPath queries causing O(n²) CPU DoS.
* SECURITY UPDATE: denial of service
- CVE-2026-47302: EncryptedXml - XML Encryption vulnerability +
XmlTextReaderImpl.Read duplicate attributes DoS.
* SECURITY UPDATE: security feature bypass
- CVE-2026-50524: System.Net.Security - SslStream handshake with malformed
TLS packets.
* SECURITY UPDATE: blob injection
- CVE-2026-50526: .NET SDK - Container image build cache uses predictable
world-writable location enabling blob injection.
* SECURITY UPDATE: denial of service
- CVE-2026-50651: SocketsHttpHandler Http2Connection - HTTP/2
SETTINGS/PING ACK flood causing OOM.
* Fix `dotnet sdk check` command source URL. (LP: #2156464)
- d/eng/dotnet-pkg-info.mk: strip suffixes from changelog distribution
name to avoid using wrong release names.
- d/t/regular-tests/dotnet-sdk-check-url-verification: test to verify the
sdk check command queries a URL with a valid release name.
- d/t/regular-tests/README.md: add distro-info as a necessary dependency
for the testsuite.
- d/t/control: add distro-info as a test dependency.
-- Mateus Rodrigues de Morais <email address hidden> Tue, 07 Jul 2026 17:23:34 -0300
|
| Source diff to previous version |
| CVE-2026-57108 |
Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network. |
| CVE-2026-47303 |
Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-47300 |
Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network. |
| CVE-2026-50659 |
Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network. |
| CVE-2026-50528 |
Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2026-50525 |
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
| CVE-2026-47304 |
Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network. |
| CVE-2026-50527 |
Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network. |
| CVE-2026-50648 |
Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network. |
| CVE-2026-47302 |
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
| CVE-2026-50524 |
Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network. |
| CVE-2026-50526 |
Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally. |
| CVE-2026-50651 |
Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. |
|
|
dotnet8 (8.0.128-8.0.28-0ubuntu1~22.04.1) jammy-security; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release
* SECURITY UPDATE: arbitrary file write
- CVE-2026-45491: improper link resolution before file access
('link following') in .NET allows an unauthorized attacker to perform
local tampering.
* SECURITY UPDATE: denial of service
- CVE-2026-45591: Stack overflow DoS via deeply-nested MessagePack arrays.
-- Ian Constantin <email address hidden> Wed, 10 Jun 2026 10:35:01 +0300
|
| Source diff to previous version |
| CVE-2026-45491 |
Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally. |
| CVE-2026-45591 |
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network. |
|
|
dotnet8 (8.0.127-8.0.27-0ubuntu1~22.04.1) jammy-security; urgency=medium
* SECURITY UPDATE: denial of service
- CVE-2026-42899: Loop with unreachable exit condition ('infinite loop')
in ASP.NET Core allows an unauthorized attacker to deny service over a
network.
[ Mateus Rodrigues de Morais ]
* New upstream release (LP: #2152591)
* d/t/regular-tests/check-test-results: match to any NU1102 error
occurrences when ignoring package not found restore errors.
* d/t/regular-tests/template-test/test.json: increment timeout multiplier to
avoid timeout errors when running on the autopkgtest cloud.
* d/t/regular-tests/tools-in-path/test.json: skip test when running on the
toolchains-ci CI pipeline.
* d/t/run-regular-tests: define environment variable to selectively add the
'toolchains-ci' trait to the test runner.
-- Ian Constantin <email address hidden> Fri, 22 May 2026 17:45:46 +0300
|
| Source diff to previous version |
| 2152591 |
New upstream microrelease .NET 8.0.127/8.0.27 |
| CVE-2026-42899 |
Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network. |
|
|
dotnet8 (8.0.126-8.0.26-0ubuntu1~22.04.1) jammy-security; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release
* SECURITY UPDATE: denial of service
- CVE-2026-33116: Possible denial of service via infinite recursion in
XmlDecryptionTransform.
* SECURITY UPDATE: denial of service
- CVE-2026-32203: Possible denial of service via stack overflow in
EncryptedKey nested decryption.
* SECURITY UPDATE: remote code execution
- CVE-2026-32178: SMTP command injection and header injection via
MailAddress parsing flaw in System.Net.Mail.
* SECURITY UPDATE: security feature bypass
- CVE-2026-26171: denial of service and security feature bypass via unsafe
transforms in EncryptedXml.
-- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000
|
| Source diff to previous version |
| CVE-2026-33116 |
Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a |
| CVE-2026-32203 |
Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network. |
| CVE-2026-32178 |
Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network. |
| CVE-2026-26171 |
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network. |
|
|
dotnet8 (8.0.125-8.0.25-0ubuntu1~22.04.1) jammy-security; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release
* SECURITY UPDATE: denial of service
- CVE-2026-26130: Possible denial-of-service via SignalR stateful
reconnect buffer overfill.
-- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:24:10 +0200
|
| CVE-2026-26130 |
Allocation of resources without limits or throttling in ASP.NET Core a ... |
|
About
-
Send Feedback to @ubuntu_updates