[ubuntu/oracular-security] dotnet9 9.0.102-9.0.1-0ubuntu1~24.10.1 (Accepted)

Ian Constantin ian.constantin at canonical.com
Thu Jan 16 11:15:46 UTC 2025 

dotnet9 (9.0.102-9.0.1-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2094271).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21171: Buffer overrun in Convert.TryToHexString. An attacker
      could exploit this vulnerability by sending a specially crafted request
      to the vulnerable web server.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * d/patches: Renamed patch files to uniquely identify patches among all
    dotnet* source packages.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * d/copyright, d/source/lintian-overrides.dotnet9: Fixed 
    superfluous-file-pattern warning for debian/eng/strenum,
    debian/eng/test-runner and debian/tests/regular-tests.
  * d/tests/build-time-tests/tests.py: Fixed crash when running for net8.0.
  * d/eng/dotnet-version.py, d/eng/versionlib/dotnet.py:
    Refactored deb version handling of irregular past releases.

dotnet9 (9.0.101-9.0.0-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2091009)
  * debian/rules, debian/eng/source_build_artifact_path.py: re-enable strict
    RID matching of last release.
  * debian/eng/dotnet-version.py: 
    - remove temporarily added '-rtm' to DOTNET_DEB_VERSION_SDK_ONLY due
      to higher SDK version number.
    - temporarily added '+build1' to DOTNET_DEB_VERSION_RUNTIME_ONLY to comply
      with FO127 due to same runtime version number compared to last upstream
      release.
  * disable 'host-probes-rid-assets-legacy' test: this test fails and fixing
    would require patching the legacy RID graph which we decided to no longer
    maintain.

Date: 2025-01-15 20:26:27.005257+00:00
Changed-By: Dominik Viererbe <dominik.viererbe at canonical.com>
Signed-By: Ian Constantin <ian.constantin at canonical.com>
https://launchpad.net/ubuntu/+source/dotnet9/9.0.102-9.0.1-0ubuntu1~24.10.1
-------------- next part --------------
Sorry, changesfile not available.

More information about the oracular-changes mailing list