-
dotnet6 (6.0.123-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: denial of service
- CVE-2023-44487: Denial of service - Kestrel server.
-- Ian Constantin <email address hidden> Wed, 04 Oct 2023 23:02:20 +0300
-
dotnet6 (6.0.122-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: denial of service
- CVE-2023-36799: A vulnerability exists in .NET when processing X.509
certificates that may result in Denial of Service.
* debian/tests/cli-metadata-should-be-correct: updated regex for the Host
Runtime Version check.
-- Nishit Majithia <email address hidden> Tue, 05 Sep 2023 12:29:44 +0530
-
dotnet6 (6.0.121-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: remote code exection
- CVE-2023-35390: When running some dotnet commands(e.g. dotnet help
add), dotnet attempts to locate and initiate a new process using
cmd.exe. However, it prioritizes searching for cmd.exe in the current
working directory (CWD) before checking other locations. This can
potentially lead to the execution of malicious code.
* SECURITY UPDATE: denial of service
- CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
leak. A malicious QUIC client, that fires off many unidirectional
streams with closed writing sides. This will bypass the HTTP/3 stream
limit and Kestrel cannot keep up with stream processing.
* SECURITY UPDATE: denial of service
- CVE-2023-38180: Kestrel vulnerability to slow read attacks
[ Dominik Viererbe ]
* d/README.source: updated content
* added support documentation
* added end of life process documentation
* general overhaul
* d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
* d/t/essential-binaries-and-config-files-should-be-present:
remove check if DOTNET_ROOT is set
* d/watch
* updated matching-pattern to only match 6.0.1XX releases
* d/watch file will fail now deliberately. See comment in d/watch
for more information
* unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
updated command line interface
-- Nishit Majithia <email address hidden> Wed, 02 Aug 2023 13:15:33 +0530
-
dotnet6 (6.0.120-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: security feature bypass
- CVE-2023-33170: Race Condition in ASP.NET Core SignInManager<TUser>
PasswordSignInAsync Method
* debian/tests/control: enabled test dotnet-runtime-json-contains-ubuntu-rids
* debian/tests/.tests.rc.d/init.sh: fixed parsing error of runtime revision number
-- Nishit Majithia <email address hidden> Thu, 06 Jul 2023 11:47:43 +0530
-
dotnet6 (6.0.119-0ubuntu1~23.04.1) lunar-security; urgency=medium
[ Dominik Viererbe ]
* New upstream release.
- Fixes regression that was introduced with the bugfix for CVE-2023-29331:
Loading null-password-encrypted PFX certificates through .NET can fail
unexpectedly for certificates that previously loaded successfully.
-- Nishit Majithia <email address hidden> Thu, 22 Jun 2023 15:37:34 +0530
-
dotnet6 (6.0.118-0ubuntu1~23.04.1) lunar-security; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-24936: Bypass restrictions when deserializing a DataSet or
DataTable from XML.
* SECURITY UPDATE: denial of service
- CVE-2023-29331: When a .NET application is internet-facing and accepts
an X509 client certificate for mutual TLS, a malicious client certificate
can cause unbounded CPU usage.
* SECURITY UPDATE: remote code exection
- CVE-2023-29337: A vulnerability exists in NuGet where a potential race
condition can lead to a symlink attack.
* SECURITY UPDATE: remote code execution
- CVE-2023-33128: An issue in source generators can lead to a crash due to
unmanaged heap corruption.
* debian/patches/add-kinetic-rids.patch: removed due to inclusion upstream.
[ Dominik Viererbe ]
* d/t: extended autopkgtest:
* essential-binaries-and-config-files-should-be-present
* cli-metadata-should-be-correct
* global-json-should-be-detected
* console-template-should-build-and-run
* dotnet-help-should-show-output
* dotnet-project-management-cli-should-work
* example-fsharp-script-output-should-equal-expected-values
* building-hello-world-for-all-supported-rids-should-work
* dotnet-xunit-tests-should-work
* nuget-cli-should-be-able-to-consume-packages-from-nuget-gallery
* crossbuild-for-windows-x64-should-run
* dotnet6-and-dotnet7-should-work-together
-- Ian Constantin <email address hidden> Fri, 02 Jun 2023 18:40:45 +0300
-
dotnet6 (6.0.116-0ubuntu2) lunar; urgency=medium
* tests/basic-checks: updated basic version check to new dotnet version.
-- Ian Constantin <email address hidden> Wed, 12 Apr 2023 12:01:23 +0300
-
dotnet6 (6.0.116-0ubuntu1) lunar; urgency=medium
* New upstream release.
* SECURITY UPDATE: elevation of privilege
- CVE-2023-28260: AzureDevOps Elevation of Privilege - Dotnet CWD dll
hijack vuln.
-- Ian Constantin <email address hidden> Wed, 05 Apr 2023 16:11:34 +0300
-
dotnet6 (6.0.115-0ubuntu2) lunar; urgency=medium
* d/p/add-kinetic-rids.patch: Added RIDs for ubuntu 22.10 kinetic.
- Based on the dropped d/p/66225runtime-fix-runtime-id.patch
from wfurt <email address hidden>.
-- Dominik Viererbe <email address hidden> Tue, 21 Mar 2023 19:58:57 +0200
-
dotnet6 (6.0.115-0ubuntu1) lunar; urgency=medium
* New upstream microrelease.
* d/p/66225runtime-fix-runtime-id.patch: Dropped.
-- Miriam España Acebal <email address hidden> Fri, 10 Mar 2023 13:02:43 +0100
-
dotnet6 (6.0.114-0ubuntu1) lunar; urgency=medium
* New upstream microrelease.
* d/control: Using libicu72.
* d/p/1501sdk-22373-portablerid.patch: Dropped.
* d/repack-dotnet-tarball.sh: New file. Repack MS tarball.
* d/rules: if-else for bootstrapping building versus normal one (as done
for dotnet7). Reenabling install_location file per architecture. Removing
unused commented lines for clarity.
* d/tests: Updating these to match the style of those in dotnet7.
-- Miriam España Acebal <email address hidden> Thu, 09 Mar 2023 12:15:50 +0100
-
dotnet6 (6.0.113-0ubuntu2) lunar; urgency=medium
* Rebuild against latest icu
-- Jeremy Bicha <email address hidden> Sat, 04 Feb 2023 10:32:29 -0500
-
dotnet6 (6.0.113-0ubuntu1) lunar; urgency=medium
* New upstream release.
* SECURITY UPDATE: denial of service
- CVE-2023-21538: Parsing an empty HTTP response as a JSON.NET JObject
causes a stack overflow and crashes a process.
-- Ian Constantin <email address hidden> Thu, 05 Jan 2023 10:29:20 +0200
-
dotnet6 (6.0.112-0ubuntu1) lunar; urgency=medium
* New upstream release (LP: #1999549).
* d/p/series: Removing patch
73065-runtime-fix-definition-cpuid-clang-15.patch.
* d/dotnet-host.install.in: Fix destination of install_location*
files (LP: #1999266).
* d/dotnet.sh.in: Eliminate the condition to force updating of
DOTNET_ROOT variable (LP: #1997746).
-- Miriam España Acebal <email address hidden> Tue, 13 Dec 2022 11:03:19 +0100
-
dotnet6 (6.0.111-0ubuntu3) lunar; urgency=medium
* Don't remove the --with-sdk option, this is supposed to be there.
-- Steve Langasek <email address hidden> Thu, 17 Nov 2022 20:57:19 +0000
-
dotnet6 (6.0.111-0ubuntu2) lunar; urgency=medium
* Packaging fixups to fix ftbfs against existing 6.0.110.
* Refresh debian/patches/66225runtime-fix-runtime-id.patch for lunar.
-- Steve Langasek <email address hidden> Thu, 17 Nov 2022 19:44:47 +0000
-
dotnet6 (6.0.111-0ubuntu1) lunar; urgency=medium
* New upstream release.
* d/build-dotnet-tarball-sh: No removing libunwind needed by arm64.
* d/control: building for arm64 too.
* d/copyright: Non excluding libunwind needed by arm64..
* d/dotnet-host.install.in: Removing manpages and bash-completion.
* d/dotnet-host.links.in: New file for dotnet binary.
* d/dotnet-host.preinst: New file for removing alternatives.
* d/dotnet-host.manpages : New file.
* d/dotnet-host.lintian-overrides: New file for man page warnings
that are being fixed in upstream.
* d/p/remove-libunwind-build.patch : Modified to apply depending
on architecture.
* d/rules:
+ DOTNETLIBDIR is now only DOTNET_TOP
+ Adding --with bash-completion
+ Eliminating dependants creation for alternatives.
+ Eliminating manual installation of man pages.
(LP: #1996499)
-- Miriam España Acebal <email address hidden> Mon, 31 Oct 2022 14:32:47 +0200
-
dotnet6 (6.0.110-0ubuntu1) kinetic; urgency=medium
* New upstream release.
* SECURITY UPDATE: cache poisoning
- CVE-2022-41032: Nuget cache poisoning via world-writable cache directory.
[ Miriam España Acebal ]
* d/rules: _minor_sdk_version calculation updated to parse last two digits.
* d/p/10199-arcade-add-clang-15-autodetection.patch
and d/p/73065-runtime-fix-definition-cpuid-clang-15.patch: New
patches for avoiding FTBFS when using clang-15 on amd64 architectures.
-- Ian Constantin <email address hidden> Tue, 11 Oct 2022 11:11:12 -0400
