dotnet8 (8.0.114-8.0.14-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2101028)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Suggests dotnet-runtime-dbg-8.0 from dotnet8 to dotnet-runtime-8.0
    - moved Suggests aspnetcore-runtime-dbg-8.0 from dotnet8 to aspnetcore-runtime-8.0
    - moved Suggests dotnet-sdk-dbg-8.0 from dotnet8 to dotnet-sdk-8.0

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Thu, 06 Mar 2025 11:24:30 +0200

dotnet8 (8.0.113-8.0.13-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2097013)
  * Updated security information of last changelog with latest information from
    upstream maintainers.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 10 Feb 2025 20:56:02 +0200

dotnet8 (8.0.112-8.0.12-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2094272).
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * Unified source build transition. The debian source tree for dotnet*
    source packages is now build from a common source (see also: 
    https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
    - d/rules: Refactored; the same file is now used by
      all dotnet* source packages. A major change is the use of substvars.
    - d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
    - d/eng/dotnet-pkg-info.mk: Added to provide common information and
      functionality for all dotnet* source packages. Is used by d/rules.
    - Removed .in file extension from the files
      d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
    - d/eng/build-dotnet-tarball.sh: Removed.
    - d/eng/source_build_artifact_path.py, d/eng/versionlib,
      d/tests/regular-tests: Updated; includes bug-fixes from
      other dotnet* source packages.
    - d/patches: Renamed patch files to uniquely identify patches among all
      dotnet* source packages.
  * d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
    comply with Apache-2.0 paragraph 4 section (d).
  * d/control:
    - Alphabetically sorted Build-Depends.
    - Added tree to Build-Depends for debugging purposes.
    - Fixed descriptions with invalid control statements
      (lines containing a space, a full stop and some more characters)
      to comply with Section 5.6.13 in the Debian Policy Manual.
    - Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
      dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
  * d/copyright:
    - Refresh copyright info.
    - Add LGPL-2.1 license text.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * lintian overrides:
    - Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
      The long file name is unavoidable.
    - Silenced FO127 related lintian warning 
      hyphen-in-upstream-part-of-debian-changelog-version.
    - Silenced manpage troff warnings. Troff complains that it is silly that the
      dotnet8 manpages select a monospace font on a terminal output that only
      supports monospace fonts.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 15 Jan 2025 20:11:26 +0200

dotnet8 (8.0.111-8.0.11-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2087882)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 08 Nov 2024 18:16:21 +0200

dotnet8 (8.0.110-8.0.10-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2024-38229: Kestrel http/3 - When closing an HTTP/3 stream while
      application code is writing to the response body, a race condition may
      lead to remote code execution.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43483: Multiple .NET components designed to process hostile
      input are susceptible to hash flooding attacks.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43484: System.IO.Packaging - Multiple DoS vectors in use of
      SortedList.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43485: Denial of Service attack against System.Text.Json
      ExtensionData feature.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 02 Oct 2024 09:54:14 +0300

dotnet8 (8.0.108-8.0.8-0ubuntu1~22.04.2) jammy; urgency=medium

  * Add s390x and ppc64el as supported architectures (LP: #2080023).
    - d/control, d/rules: Add s390x and ppc64el as supported architectures.
    - d/eng/versionlib/dotnet.py: Add ppc64le to ArchitectureIdentifier.
  * d/p/0001-roslyn-analyzers-dont-use-apphost.patch: Fix ppc64el FTBFS by
    disabling usage of AppHost in roslyn-analyzers PerformanceTests project.
  * d/p/0002-vstest-intent-net8.0.patch: Fix ppc64el FTBFS by changing the
    vstest Intent test project TFM to net8.0.
  * d/t/regular-tests: Update regular-tests to latest available version to fix
    autpkgtest failure.
  * d/eng/test-runner: Update test runner to latest version (v1.1.0) to fix
    autopkgtest failure in ppc64el.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 29 Aug 2024 17:00:02 -0300

dotnet8 (8.0.108-8.0.8-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: information disclosure
    - CVE-2024-38167: information disclosure vulnerability in TlsStream.

 -- Ian Constantin <ian.constantin@canonical.com>  Thu, 08 Aug 2024 16:43:10 +0300

dotnet8 (8.0.107-8.0.7-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-30105: Denial of service vulnerability in System.Text.Json
      deserialization.
  * SECURITY UPDATE: denial of service
    - CVE-2024-35264: Denial of service in ASP.NET Core 8.
  * SECURITY UPDATE: denial of service
    - CVE-2024-38095: Denial of service in parsing X.509 Content and
      ObjectIdentifiers.
  * debian/eng/build-dotnet-tarball.sh: SECURITY_PARTNERS_REPOSITORY
    connection method updated.

 -- Ian Constantin <ian.constantin@canonical.com>  Tue, 02 Jul 2024 11:56:00 +0300

dotnet8 (8.0.105-8.0.5-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: stack buffer overflow
    - CVE-2024-30045: a stack based buffer overflow in the .NET Double Parse
      routine allows for remote code execution.
  * SECURITY UPDATE: resource dead-lock
    - CVE-2024-30046: a dead-lock in Http2OutputProducer.Stop() results in a
      denial of service.

 -- Ian Constantin <ian.constantin@canonical.com>  Thu, 09 May 2024 17:16:36 +0300

dotnet8 (8.0.104-8.0.4-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2060261).
  * debian/README.source: Update support information (LP: #2058746).
  * debian/eng/versionlib: Add support for '+really' and '~bootstrap+ARCH' 
                           in version string.
  * debian/tests/versionlib-tests: Add versionlib unit tests
    - debian/tests/run-versionlib-tests.sh: script to run the tests
  * Added new binary packages for debug symbols.
  * Moved RID-specific targeting packs to dotnet-sdk

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 05 Apr 2024 06:24:17 +0300

dotnet8 (8.0.103-8.0.3-0ubuntu1~22.04.2) jammy; urgency=medium

  * Add ca-certificates to dotnet-sdk-8.0 depends (LP: #2057982).
  * Replace debian/tests:
    - Add debian/tests/01_regular-tests & debian/tests/regular-tests
      (testcases files; included version of: 
      https://github.com/canonical/dotnet-regular-tests/).
    - Add debian/tests/build-time-tests
  * debian/rules: Added override_dh_auto_test; runs d/t/build-time-tests
  * debian/copyright: Update debian/ copyright information
  * debian/eng: Added directory for scripts & libraries used within the package:
    - Add debian/eng/test-runner (executes debian/tests/regular-tests testcases;
      included version of: https://github.com/canonical/dotnet-test-runner).
    - Added debian/eng/versionlib (.NET version parsing library; used by 
      debian/tests).
    - Added debian/eng/strenum; needed by debian/eng/versionlib
    - Added debian/eng/dotnet-version.py; needed by debian/tests/01_regular-tests
    - Moved debian/watch-script.sh and debian/build-dotnet-tarball.sh 
      to debian/eng
  * Removed debian/repack-dotnet-tarball.sh (deprecated)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 18 Mar 2024 14:34:59 +0200

dotnet8 (8.0.103-8.0.3-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-21392: DoS in .NET Core / YARP HTTP / 2 WebSocket support.

 -- Ian Constantin <ian.constantin@canonical.com>  Fri, 08 Mar 2024 10:26:16 +0200

dotnet8 (8.0.102-8.0.2-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-21386: denial of service vector in SignalR server.
  * SECURITY UPDATE: denial of service
    - CVE-2024-21404: .NET with OpenSSL support is vulnerable to a denial of
      service when parsing X509 certificates.

 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 12 Feb 2024 22:08:53 +0200

dotnet8 (8.0.101-8.0.1-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: validation bypass
    - CVE-2024-0057: X509 Certificates - Validation Bypass across Azure
  * SECURITY UPDATE: denial of service
    - CVE-2024-21319: Azure Identity - Pre-Authentication DoS in JWT
  * debian/build-dotnet-tarball.sh: rename function print_err to print_error

 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 12 Feb 2024 11:04:58 +0200

dotnet8 (8.0.100-8.0.0-0ubuntu1~22.04.1) jammy; urgency=medium

  * Backport to Ubuntu 22.04 LTS Jammy Jellyfish (LP: #2046133).
    - d/control: change dotnet-runtime-8.0 Depends from libicu72 to libicu70

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 11 Dec 2023 08:02:06 +0200

dotnet8 (8.0.100-8.0.0-0ubuntu1~23.10.1) mantic-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2023-36558: Security Feature Bypass in Blazor forms
  * SECURITY UPDATE: Arbitrary File Write and Deletion
    - CVE-2023-36049: Microsoft .NET FormatFtpCommand CRLF Injection
      Arbitrary File Write and Deletion

 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 13 Nov 2023 11:10:48 +0200

dotnet8 (8.0.100-8.0.0~rc2-0ubuntu1) mantic-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2023-44487: Denial of service - Kestrel server.
  * debian/tests/cli-metadata-should-be-correct: updated regex for the Host
    Runtime Version check.

  [ Mateus Rodrigues de Morais ]
  * debian/rules: removed uneeded sym link for
    $(DOTNET_TOP)/source-built-artifacts/Private.SourceBuilt.Prebuilts.*.tar.gz
  * debian/lintian: additional lintian overrides added.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 18 Oct 2023 21:05:17 +0300

dotnet8 (8.0.100-8.0.0~rc1-0ubuntu1) mantic; urgency=medium

  * Initial release (LP: #2025261)

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 05 Oct 2023 15:58:22 -0300
