UbuntuUpdates.org

Package "dotnet8"

Name: dotnet8

Description:

.NET CLI tools and runtime
Latest version: 8.0.121-8.0.21-0ubuntu1~25.04.1
Release: plucky (25.04)
Level: security
Repository: main
Homepage: https://dot.net

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "dotnet8"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "dotnet8" in Plucky

Repository Area Version
base main 8.0.115-8.0.15-0ubuntu1
base universe 8.0.15-0ubuntu1
security universe 8.0.121-0ubuntu1~25.04.1
updates main 8.0.121-8.0.21-0ubuntu1~25.04.1
updates universe 8.0.121-0ubuntu1~25.04.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 8.0.121-8.0.21-0ubuntu1~25.04.1 2025-10-14 21:08:59 UTC

  dotnet8 (8.0.121-8.0.21-0ubuntu1~25.04.1) plucky; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-55247: A vulnerability exists in .NET Core where predictable
      paths for MSBuild's temporary directories on Linux let another user
      create the directories ahead of MSBuild, leading to DoS of builds.
  * SECURITY UPDATE: validation bypass
    - CVE-2025-55315: Inconsistent interpretation of http requests
      ('http request/response smuggling') in ASP.NET Core allows an authorized
      attacker to bypass a security feature over a network.
  * SECURITY UPDATE: information disclosure
    - CVE-2025-55248: MITM (man in the middle) attacker may prevent use of TLS
      between client and SMTP server, forcing client to send data over
      unencrypted connection.
  * eng/test-runner: sync changes with upstream
  * tests/control, tests/regular-tests: sync changes with upstream
  * debian/rules: use release.json manifest instead of legacy text file

 -- Dominik Viererbe <email address hidden> Wed, 08 Oct 2025 13:49:14 +0300
Source diff to previous version
CVE-2025-55247 Improper link resolution before file access ('link following') in .NET ...
CVE-2025-55315 Inconsistent interpretation of http requests ('http request/response s ...
CVE-2025-55248 Inadequate encryption strength in .NET, .NET Framework, Visual Studio ...

Version: 8.0.117-8.0.17-0ubuntu1~25.04.1 2025-06-11 14:08:02 UTC

  dotnet8 (8.0.117-8.0.17-0ubuntu1~25.04.1) plucky; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious.

 -- Dominik Viererbe <email address hidden> Mon, 09 Jun 2025 12:16:30 +0300
Source diff to previous version

Version: 8.0.116-8.0.16-0ubuntu1~25.04.1 2025-05-14 02:07:32 UTC

  dotnet8 (8.0.116-8.0.16-0ubuntu1~25.04.1) plucky; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <email address hidden> Tue, 06 May 2025 13:59:06 +0300
2110033 Disable strict bootstrapping artifact RID matching


About   -   Send Feedback to @ubuntu_updates