Package "dotnet9"

  dotnet9 (9.0.107-9.0.6-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious.

 -- Dominik Viererbe <email address hidden> Mon, 09 Jun 2025 12:16:30 +0300

  dotnet9 (9.0.106-9.0.5-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <email address hidden> Tue, 06 May 2025 13:59:06 +0300

  dotnet9 (9.0.105-9.0.4-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <email address hidden> Fri, 04 Apr 2025 12:32:57 +0300

  dotnet9 (9.0.104-9.0.3-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2101029)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Recommends dotnet-sdk-aot-9.0 from dotnet9 to dotnet-sdk-9.0
    - moved Suggests dotnet-runtime-dbg-9.0 from dotnet9 to dotnet-runtime-9.0
    - moved Suggests aspnetcore-runtime-dbg-9.0 from dotnet9 to aspnetcore-runtime-9.0
    - moved Suggests dotnet-sdk-dbg-9.0 from dotnet9 to dotnet-sdk-9.0

 -- Dominik Viererbe <email address hidden> Thu, 06 Mar 2025 11:24:30 +0200

  dotnet9 (9.0.102-9.0.1-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2094271).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21171: Buffer overrun in Convert.TryToHexString. An attacker
      could exploit this vulnerability by sending a specially crafted request
      to the vulnerable web server.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * d/patches: Renamed patch files to uniquely identify patches among all
    dotnet* source packages.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * d/copyright, d/source/lintian-overrides.dotnet9: Fixed
    superfluous-file-pattern warning for debian/eng/strenum,
    debian/eng/test-runner and debian/tests/regular-tests.
  * d/tests/build-time-tests/tests.py: Fixed crash when running for net8.0.
  * d/eng/dotnet-version.py, d/eng/versionlib/dotnet.py:
    Refactored deb version handling of irregular past releases.

 -- Dominik Viererbe <email address hidden> Wed, 15 Jan 2025 20:11:26 +0200