Package "dotnet-runtime-7.0"
Name: |
dotnet-runtime-7.0
|
Description: |
dotNET runtime
|
Latest version: |
7.0.115-0ubuntu1~23.04.1 |
Release: |
lunar (23.04) |
Level: |
security |
Repository: |
universe |
Head package: |
dotnet7 |
Homepage: |
https://dot.net/core |
Links
Download "dotnet-runtime-7.0"
Other versions of "dotnet-runtime-7.0" in Lunar
Changelog
dotnet7 (7.0.110-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: remote code exection
- CVE-2023-35390: When running certain dotnet commands(e.g. dotnet help
add), dotnet attempts to locate and initiate a new process using
cmd.exe. However, it prioritizes searching for cmd.exe in the current
working directory (CWD) before checking other locations. This can
potentially lead to the execution of malicious code.
* SECURITY UPDATE: denial of service
- CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
leak. A malicious QUIC client, that fires off many unidirectional
streams with closed writing sides. This will bypass the HTTP/3 stream
limit and Kestrel cannot keep up with stream processing.
* SECURITY UPDATE: denial of service
- CVE-2023-38180: Kestrel vulnerability to slow read attacks.
[ Dominik Viererbe ]
* d/README.source: updated content
* added support documentation
* added end of life process documentation
* general overhaul
* d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
* d/t/essential-binaries-and-config-files-should-be-present:
remove check if DOTNET_ROOT is set
* d/watch
* updated matching-pattern to only match 6.0.1XX releases
* d/watch file will fail now deliberately. See comment in d/watch
for more information
* unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
updated command line interface
-- Ian Constantin <email address hidden> Wed, 02 Aug 2023 21:08:44 +0300
|
Source diff to previous version |
CVE-2023-35390 |
.NET and Visual Studio Remote Code Execution Vulnerability |
CVE-2023-38178 |
.NET Core and Visual Studio Denial of Service Vulnerability |
CVE-2023-38180 |
.NET and Visual Studio Denial of Service Vulnerability |
|
dotnet7 (7.0.109-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: security feature bypass
- CVE-2023-33170: Race Condition in ASP.NET Core SignInManager<TUser>
PasswordSignInAsync Method.
* debian/tests/control: enabled test dotnet-runtime-json-contains-ubuntu-rids.
* debian/tests/.tests.rc.d/init.sh: fixed parsing error of runtime revision
number.
-- Ian Constantin <email address hidden> Thu, 06 Jul 2023 11:11:07 +0300
|
Source diff to previous version |
dotnet7 (7.0.108-0ubuntu1~23.04.1) lunar-security; urgency=medium
[ Mateus Rodrigues de Morais ]
* New upstream release.
- Fixes regression that was introduced with the bugfix for CVE-2023-29331:
Loading null-password-encrypted PFX certificates through .NET can fail
unexpectedly for certificates that previously loaded successfully.
-- Ian Constantin <email address hidden> Wed, 21 Jun 2023 16:12:31 +0300
|
Source diff to previous version |
|
dotnet7 (7.0.107-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-24936: Bypass restrictions when deserializing a DataSet or
DataTable from XML.
* SECURITY UPDATE: denial of service
- CVE-2023-29331: When a .NET application is internet-facing and accepts
an X509 client certificate for mutual TLS, a malicious client certificate
can cause unbounded CPU usage.
* SECURITY UPDATE: remote code exection
- CVE-2023-29337: A vulnerability exists in NuGet where a potential race
condition can lead to a symlink attack.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-32032: TarFile.ExtractToDirectory ignores extraction directory
argument.
* SECURITY UPDATE: remote code execution
- CVE-2023-33128: An issue in source generators can lead to a crash due to
unmanaged heap corruption.
* debian/patches/add-kinetic-rids.patch: removed due to inclusion upstream.
[ Dominik Viererbe ]
* d/t: extended autopkgtest:
* essential-binaries-and-config-files-should-be-present
* cli-metadata-should-be-correct
* global-json-should-be-detected
* console-template-should-build-and-run
* dotnet-help-should-show-output
* dotnet-project-management-cli-should-work
* example-fsharp-script-output-should-equal-expected-values
* building-hello-world-for-all-supported-rids-should-work
* dotnet-xunit-tests-should-work
* nuget-cli-should-be-able-to-consume-packages-from-nuget-gallery
* crossbuild-for-windows-x64-should-run
* dotnet6-and-dotnet7-should-work-together
-- Ian Constantin <email address hidden> Fri, 02 Jun 2023 22:38:23 +0300
|
|
About
-
Send Feedback to @ubuntu_updates