dotnet8 (8.0.120-8.0.20-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2122356)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 08 Sep 2025 20:48:08 +0300

dotnet8 (8.0.119-8.0.19-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2119537)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 05 Aug 2025 16:37:26 +0300

dotnet8 (8.0.118-8.0.18-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2115829)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 02 Jul 2025 16:38:30 +0300

dotnet8 (8.0.117-8.0.17-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious. 

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 09 Jun 2025 12:16:30 +0300

dotnet8 (8.0.116-8.0.16-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 06 May 2025 13:59:06 +0300

dotnet8 (8.0.115-8.0.15-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 04 Apr 2025 12:32:57 +0300

dotnet8 (8.0.114-8.0.14-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2101028)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Suggests dotnet-runtime-dbg-8.0 from dotnet8 to dotnet-runtime-8.0
    - moved Suggests aspnetcore-runtime-dbg-8.0 from dotnet8 to aspnetcore-runtime-8.0
    - moved Suggests dotnet-sdk-dbg-8.0 from dotnet8 to dotnet-sdk-8.0

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Thu, 06 Mar 2025 11:24:30 +0200

dotnet8 (8.0.113-8.0.13-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2097013)
  * Updated security information of last changelog with latest information from
    upstream maintainers.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 10 Feb 2025 20:56:02 +0200

dotnet8 (8.0.112-8.0.12-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2094272).
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * Unified source build transition. The debian source tree for dotnet*
    source packages is now build from a common source (see also: 
    https://github.com/canonical/dotnet-source-build/pull/13). Changes include:
    - d/rules: Refactored; the same file is now used by
      all dotnet* source packages. A major change is the use of substvars.
    - d/control: Change hard-coded libicu* to dynamic ${libicu:Depends} substvar.
    - d/eng/dotnet-pkg-info.mk: Added to provide common information and
      functionality for all dotnet* source packages. Is used by d/rules.
    - Removed .in file extension from the files
      d/*.{install,manpages,dirs,docs,preinst,sh}.in and used substvars.
    - d/eng/build-dotnet-tarball.sh: Removed.
    - d/eng/source_build_artifact_path.py, d/eng/versionlib,
      d/tests/regular-tests: Updated; includes bug-fixes from
      other dotnet* source packages.
    - d/patches: Renamed patch files to uniquely identify patches among all
      dotnet* source packages.
  * d/aspnetcore-runtime-8.0.docs: Included src/razor/NOTICE.txt in package to
    comply with Apache-2.0 paragraph 4 section (d).
  * d/control:
    - Alphabetically sorted Build-Depends.
    - Added tree to Build-Depends for debugging purposes.
    - Fixed descriptions with invalid control statements
      (lines containing a space, a full stop and some more characters)
      to comply with Section 5.6.13 in the Debian Policy Manual.
    - Added dotnet-runtime-dbg-8.0, aspnetcore-runtime-dbg-8.0,
      dotnet-sdk-dbg-8.0 to dotnet8 Suggests.
  * d/copyright:
    - Refresh copyright info.
    - Add LGPL-2.1 license text.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * lintian overrides:
    - Silenced dotnet-sdk-8.0-source-built-artifacts: package-has-long-file-name
      The long file name is unavoidable.
    - Silenced FO127 related lintian warning 
      hyphen-in-upstream-part-of-debian-changelog-version.
    - Silenced manpage troff warnings. Troff complains that it is silly that the
      dotnet8 manpages select a monospace font on a terminal output that only
      supports monospace fonts.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 15 Jan 2025 20:11:26 +0200

dotnet8 (8.0.111-8.0.11-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release (LP: #2087882)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 08 Nov 2024 18:16:21 +0200

dotnet8 (8.0.110-8.0.10-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2024-38229: Kestrel http/3 - When closing an HTTP/3 stream while
      application code is writing to the response body, a race condition may
      lead to remote code execution.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43483: Multiple .NET components designed to process hostile
      input are susceptible to hash flooding attacks.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43484: System.IO.Packaging - Multiple DoS vectors in use of
      SortedList.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43485: Denial of Service attack against System.Text.Json
      ExtensionData feature.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 02 Oct 2024 09:54:18 +0300

dotnet8 (8.0.108-8.0.8-0ubuntu1~24.04.2) noble; urgency=medium

  * Add ppc64el as a supported architecture (LP: #2075185).
    - d/control, d/rules: Add ppc64el as a supported architecture.
    - d/eng/versionlib/dotnet.py: Add ppc64le to ArchitectureIdentifier.
  * d/p/0002-roslyn-analyzers-dont-use-apphost.patch: Fix ppc64el FTBFS by
    disabling usage of AppHost in roslyn-analyzers PerformanceTests project.
  * d/p/0003-vstest-intent-net8.0.patch: Fix ppc64el FTBFS by changing the
    vstest Intent test project TFM to net8.0.
  * d/t/regular-tests/release-version-sane/VersionTest.cs: Fix test failure
    by defining a sane release version as less than or equal to current.
  * d/eng/test-runner: Update test runner to latest version (v1.1.0) to fix
    autopkgtest failure in ppc64el.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Tue, 13 Aug 2024 18:58:38 -0300

dotnet8 (8.0.108-8.0.8-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: information disclosure
    - CVE-2024-38167: information disclosure vulnerability in TlsStream.
  * debian/eng/build-dotnet-tarball.sh: SECURITY_PARTNERS_REPOSITORY
    connection method updated.

 -- Ian Constantin <ian.constantin@canonical.com>  Fri, 09 Aug 2024 09:43:27 +0300

dotnet8 (8.0.107-8.0.7-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-30105: Denial of service vulnerability in System.Text.Json
      deserialization.
  * SECURITY UPDATE: denial of service
    - CVE-2024-35264: Denial of service in ASP.NET Core 8.
  * SECURITY UPDATE: denial of service
    - CVE-2024-38095: Denial of service in parsing X.509 Content and
      ObjectIdentifiers.

 -- Ian Constantin <ian.constantin@canonical.com>  Tue, 02 Jul 2024 11:55:58 +0300

dotnet8 (8.0.105-8.0.5-0ubuntu1~24.04.1) noble-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: stack buffer overflow
    - CVE-2024-30045: a stack based buffer overflow in the .NET Double Parse
      routine allows for remote code execution.
  * SECURITY UPDATE: resource dead-lock
    - CVE-2024-30046: a dead-lock in Http2OutputProducer.Stop() results in a
      denial of service.
  * debian/patches/0001-fix-clang18-build.patch: refreshed patch to remove
    new upstream inclusions.

 -- Ian Constantin <ian.constantin@canonical.com>  Thu, 09 May 2024 17:16:30 +0300

dotnet8 (8.0.104-8.0.4-0ubuntu1) noble; urgency=medium

  * New upstream release (LP: #2060261).
  * debian/README.source: Update support information (LP: #2058746).
  * debian/eng/versionlib: Add support for '+really' and '~bootstrap+ARCH' 
                           in version string.
  * debian/tests/versionlib-tests: Add versionlib unit tests
    - debian/tests/run-versionlib-tests.sh: script to run the tests

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 05 Apr 2024 06:22:48 +0300

dotnet8 (8.0.103-8.0.3-0ubuntu3) noble; urgency=medium

  * No-change rebuild for CVE-2024-3094

 -- William Grant <wgrant@ubuntu.com>  Mon, 01 Apr 2024 16:43:22 +1100

dotnet8 (8.0.103-8.0.3-0ubuntu2) noble; urgency=medium

  * d/control: added s390x as a supported architecture
  * d/rules: one-liner to remove .pdb files outside of debug symbols directory
    and added s390x as a supported architecture
  * d/p/0001-fix-clang18-build.patch: fixes FTBFS on clang 18 (LP: #2058766)

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Sun, 24 Mar 2024 15:32:00 -0300

dotnet8 (8.0.103-8.0.3-0ubuntu1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-21392: DoS in .NET Core / YARP HTTP / 2 WebSocket support.
  * Add ca-certificates to dotnet-sdk-8.0 depends (LP: #2057982).
  * Replace debian/tests:
    - Add debian/tests/01_regular-tests & debian/tests/regular-tests
      (testcases files; included version of: 
      https://github.com/canonical/dotnet-regular-tests/).
    - Add debian/tests/build-time-tests
  * debian/rules: Added override_dh_auto_test; runs d/t/build-time-tests
  * debian/copyright: Update debian/ copyright information
  * debian/eng: Added directory for scripts & libraries used within the package:
    - Add debian/eng/test-runner (executes debian/tests/regular-tests testcases;
      included version of: https://github.com/canonical/dotnet-test-runner).
    - Added debian/eng/versionlib (.NET version parsing library; used by 
      debian/tests).
    - Added debian/eng/strenum; needed by debian/eng/versionlib
    - Added debian/eng/dotnet-version.py; needed by debian/tests/01_regular-tests
    - Moved debian/watch-script.sh and debian/build-dotnet-tarball.sh 
      to debian/eng
  * debian/source/include-binaries: includes a certificate needed by
    debian/tests/regular-tests/libuv-kestrel-sample-app-2x
  * Removed debian/repack-dotnet-tarball.sh (deprecated)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 18 Mar 2024 14:54:29 +0200

dotnet8 (8.0.102-8.0.2-0ubuntu2) noble; urgency=medium

  * No-change rebuild against libssl3t64

 -- Steve Langasek <steve.langasek@ubuntu.com>  Mon, 04 Mar 2024 17:42:12 +0000

dotnet8 (8.0.102-8.0.2-0ubuntu1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-21386: denial of service vector in SignalR server.
  * SECURITY UPDATE: denial of service
    - CVE-2024-21404: .NET with OpenSSL support is vulnerable to a denial of
      service when parsing X509 certificates.

 -- Ian Constantin <ian.constantin@canonical.com>  Thu, 08 Feb 2024 14:02:19 +0200

dotnet8 (8.0.101-8.0.1-0ubuntu2) noble; urgency=medium

  * Added new binary packages for debug symbols.
  * Moved RID-specific targeting packs to dotnet-sdk-8.0 binary package
    per Microsoft documentation. (LP: #2046458)

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Wed, 17 Jan 2024 17:30:29 -0300

dotnet8 (8.0.101-8.0.1-0ubuntu1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: validation bypass
    - CVE-2024-0057: X509 Certificates - Validation Bypass across Azure
  * SECURITY UPDATE: denial of service
    - CVE-2024-21319: Azure Identity - Pre-Authentication DoS in JWT
  * debian/build-dotnet-tarball.sh: rename function print_err to print_error
  * debian/control: transition to libicu74
  * debian/tests: removed dotnet6-and-dotnet7-and-dotnet8-should-work-together

 -- Ian Constantin <ian.constantin@canonical.com>  Sat, 06 Jan 2024 18:28:44 +0200

dotnet8 (8.0.100-8.0.0-0ubuntu2) noble; urgency=medium

  * No-change rebuild for ICU soname change.

 -- Matthias Klose <doko@ubuntu.com>  Tue, 19 Dec 2023 11:05:39 +0100

dotnet8 (8.0.100-8.0.0-0ubuntu1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2023-36558: Security Feature Bypass in Blazor forms
  * SECURITY UPDATE: Arbitrary File Write and Deletion
    - CVE-2023-36049: Microsoft .NET FormatFtpCommand CRLF Injection
      Arbitrary File Write and Deletion
  * debian/patches/0001-Fix-source-built-runtime-version-number.patch: removed
    no longer needed patch.
 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 13 Nov 2023 15:13:03 +0200

dotnet8 (8.0.100-8.0.0~rc2-0ubuntu2) noble; urgency=medium

  * d/p/0001-Fix-source-built-runtime-version-number.patch: Fix
    source-built runtime version number. (LP: #2040547)

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 26 Oct 2023 08:52:11 -0300

dotnet8 (8.0.100-8.0.0~rc2-0ubuntu1) mantic-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2023-44487: Denial of service - Kestrel server.
  * debian/tests/cli-metadata-should-be-correct: updated regex for the Host
    Runtime Version check.

  [ Mateus Rodrigues de Morais ]
  * debian/rules: removed uneeded sym link for
    $(DOTNET_TOP)/source-built-artifacts/Private.SourceBuilt.Prebuilts.*.tar.gz
  * debian/lintian: additional lintian overrides added.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 18 Oct 2023 21:05:17 +0300

dotnet8 (8.0.100-8.0.0~rc1-0ubuntu1) mantic; urgency=medium

  * Initial release (LP: #2025261)

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 05 Oct 2023 15:58:22 -0300
