UbuntuUpdates.org

Package "dotnet8"

Name: dotnet8

Description:

.NET CLI tools and runtime

Latest version: 8.0.129-8.0.29-0ubuntu1~24.04.1
Release: noble (24.04)
Level: security
Repository: main
Homepage: https://dot.net

Links


Download "dotnet8"


Other versions of "dotnet8" in Noble

Repository Area Version
base main 8.0.104-8.0.4-0ubuntu1
base universe 8.0.104-0ubuntu1
security universe 8.0.129-0ubuntu1~24.04.1
updates main 8.0.128-8.0.28-0ubuntu1~24.04.1
updates universe 8.0.128-0ubuntu1~24.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.129-8.0.29-0ubuntu1~24.04.1 2026-07-15 15:31:39 UTC

  dotnet8 (8.0.129-8.0.29-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-57108: .NET runtime - CryptoNative_GetX509NameInfo - UPN
      BOOLEAN ASN.1 type-confusion DoS.
  * SECURITY UPDATE:
    - CVE-2026-47303: ASP.NET Core - Negotiate/LdapAdapter.cs - LDAP
      identifier confusion CN vs sAMAccountName.
  * SECURITY UPDATE: code injection
    - CVE-2026-47300: LdapAdapter query validation fix - LDAP injection via
      unvalidated filter input.
  * SECURITY UPDATE: code injection
    - CVE-2026-50659: System.Net.Mail - SMTP smuggling via CRLF split across
      buffers.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-50528: System.Net.Security - additional SslStream fix (auth
      bypass via ignored channel binding).
  * SECURITY UPDATE: denial of service
    - CVE-2026-50525: EncryptedXml/TransformChain - DoS via XML transform
      chain DTD/base64 amplification.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-47304: EncryptedXml - XML Encryption vulnerability
      (SignedXml.CheckSignature forgery via empty HMAC).
  * SECURITY UPDATE: stack overflow
    - CVE-2026-50527: EncryptedXml - System.Security.Cryptography.Xml.Utils -
      Unauth XML triggers Type.GetType stack overflow.
  * SECURITY UPDATE: denial of service
    - CVE-2026-50648: EncryptedXml - XmlDecryptionTransform document-rooted
      XPath queries causing O(n²) CPU DoS.
  * SECURITY UPDATE: denial of service
    - CVE-2026-47302: EncryptedXml - XML Encryption vulnerability +
      XmlTextReaderImpl.Read duplicate attributes DoS.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-50524: System.Net.Security - SslStream handshake with malformed
      TLS packets.
  * SECURITY UPDATE: blob injection
    - CVE-2026-50526: .NET SDK - Container image build cache uses predictable
      world-writable location enabling blob injection.
  * SECURITY UPDATE: denial of service
    - CVE-2026-50651: SocketsHttpHandler Http2Connection - HTTP/2
      SETTINGS/PING ACK flood causing OOM.
  * Fix `dotnet sdk check` command source URL. (LP: #2156464)
    - d/eng/dotnet-pkg-info.mk: strip suffixes from changelog distribution
      name to avoid using wrong release names.
    - d/t/regular-tests/dotnet-sdk-check-url-verification: test to verify the
      sdk check command queries a URL with a valid release name.
    - d/t/regular-tests/README.md: add distro-info as a necessary dependency
      for the testsuite.
    - d/t/control: add distro-info as a test dependency.

 -- Mateus Rodrigues de Morais <email address hidden> Tue, 07 Jul 2026 17:23:34 -0300

Source diff to previous version
CVE-2026-57108 Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network.
CVE-2026-47303 Authentication bypass by assumed-immutable data in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
CVE-2026-47300 Incorrect implementation of authentication algorithm in ASP.NET Core allows an authorized attacker to elevate privileges over a network.
CVE-2026-50659 Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network.
CVE-2026-50528 Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-50525 Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
CVE-2026-47304 Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-50527 Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2026-50648 Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2026-47302 Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.
CVE-2026-50524 Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network.
CVE-2026-50526 Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally.
CVE-2026-50651 Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network.

Version: 8.0.128-8.0.28-0ubuntu1~24.04.1 2026-06-11 07:07:35 UTC

  dotnet8 (8.0.128-8.0.28-0ubuntu1~24.04.1) noble-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: arbitrary file write
    - CVE-2026-45491: improper link resolution before file access
      ('link following') in .NET allows an unauthorized attacker to perform
      local tampering.
  * SECURITY UPDATE: denial of service
    - CVE-2026-45591: Stack overflow DoS via deeply-nested MessagePack arrays.

 -- Ian Constantin <email address hidden> Wed, 10 Jun 2026 10:35:01 +0300

Source diff to previous version
CVE-2026-45491 Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally.
CVE-2026-45591 Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Version: 8.0.127-8.0.27-0ubuntu1~24.04.1 2026-05-25 10:07:25 UTC

  dotnet8 (8.0.127-8.0.27-0ubuntu1~24.04.1) noble-security; urgency=medium

  * SECURITY UPDATE: denial of service
    - CVE-2026-42899: Loop with unreachable exit condition ('infinite loop')
      in ASP.NET Core allows an unauthorized attacker to deny service over a
      network.

  [ Mateus Rodrigues de Morais ]
  * New upstream release (LP: #2152591)
  * d/t/regular-tests/check-test-results: match to any NU1102 error
    occurrences when ignoring package not found restore errors.
  * d/t/regular-tests/template-test/test.json: increment timeout multiplier to
    avoid timeout errors when running on the autopkgtest cloud.
  * d/t/regular-tests/tools-in-path/test.json: skip test when running on the
    toolchains-ci CI pipeline.
  * d/t/run-regular-tests: define environment variable to selectively add the
    'toolchains-ci' trait to the test runner.

 -- Ian Constantin <email address hidden> Fri, 22 May 2026 17:45:46 +0300

Source diff to previous version
2152591 New upstream microrelease .NET 8.0.127/8.0.27
CVE-2026-42899 Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Version: 8.0.126-8.0.26-0ubuntu1~24.04.1 2026-04-15 22:08:29 UTC

  dotnet8 (8.0.126-8.0.26-0ubuntu1~24.04.1) noble-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-33116: Possible denial of service via infinite recursion in
      XmlDecryptionTransform.
  * SECURITY UPDATE: denial of service
    - CVE-2026-32203: Possible denial of service via stack overflow in
      EncryptedKey nested decryption.
  * SECURITY UPDATE: remote code execution
    - CVE-2026-32178: SMTP command injection and header injection via
      MailAddress parsing flaw in System.Net.Mail.
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-26171: denial of service and security feature bypass via unsafe
      transforms in EncryptedXml.

 -- Ian Constantin <email address hidden> Tue, 14 Apr 2026 19:43:50 +0000

Source diff to previous version
CVE-2026-33116 Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a
CVE-2026-32203 Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.
CVE-2026-32178 Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.
CVE-2026-26171 Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.

Version: 8.0.125-8.0.25-0ubuntu1~24.04.1 2026-03-11 00:08:02 UTC

  dotnet8 (8.0.125-8.0.25-0ubuntu1~24.04.1) noble-security; urgency=medium

  [ Mateus Rodrigues de Morais ]
  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2026-26130: Possible denial-of-service via SignalR stateful
      reconnect buffer overfill.

 -- Ian Constantin <email address hidden> Sun, 08 Mar 2026 21:24:23 +0200

CVE-2026-26130 Allocation of resources without limits or throttling in ASP.NET Core a ...



About   -   Send Feedback to @ubuntu_updates