dotnet6 (6.0.135-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-43483: Multiple .NET components designed to process hostile
      input are susceptible to hash flooding attacks.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43484: System.IO.Packaging - Multiple DoS vectors in use of
      SortedList.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43485: Denial of Service attack against System.Text.Json
      ExtensionData feature.

 -- Nishit Majithia <nishit.majithia@canonical.com>  Fri, 04 Oct 2024 20:46:48 +0530

dotnet6 (6.0.133-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2076742).

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 13 Aug 2024 01:13:16 +0300

dotnet6 (6.0.132-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-38095: Denial of service in parsing X.509 Content and
      ObjectIdentifiers.
  * debian/eng/build-dotnet-tarball.sh: SECURITY_PARTNERS_REPOSITORY
    connection method updated.

 -- Nishit Majithia <nishit.majithia@canonical.com>  Thu, 04 Jul 2024 10:23:31 +0530

dotnet6 (6.0.130-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2065300).

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Tue, 07 May 2024 11:35:02 -0300

dotnet6 (6.0.129-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2060259).
  * debian/README.source: Update support information (LP: #2058746).
  * debian/eng/versionlib: Add support for '+really' and '~bootstrap+ARCH' 
                           in version string.
  * debian/tests/versionlib-tests: Add versionlib unit tests
    - debian/tests/run-versionlib-tests.sh: script to run the tests

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 05 Apr 2024 06:04:27 +0300

dotnet6 (6.0.128-0ubuntu1~22.04.2) jammy; urgency=medium

  * Add ca-certificates to dotnet-sdk-6.0 depends (LP: #2057982).
  * debian/tests/01_regular-tests:
    - Add optional environment variable REGULAR_TESTS_RUNNER_VERSION
      to download newer versions of test runner from 
      https://github.com/canonical/dotnet-test-runner.
    - Add optional environment variable REGULAR_TESTS_REF
      to download newer versions of test cases from 
      https://github.com/canonical/dotnet-regular-tests/
      - Add git as a dependency.
    - Increase testcase timeout from 300 to 720 seconds.
    - Add optional environment variable REGULAR_TESTS_TESTCASE_TIMEOUT_IN_SECONDS
      to allow overwriting the value externally.
    - Add optional environment variable REGULAR_TESTS_IGNORE_NU1102_ERRORS
      to ignore pagage not found errors during embargo time.
  * Add debian/eng/dotnet-version.py; needed by debian/tests/01_regular-tests
  * debian/rules: Added override_dh_auto_test; runs d/t/build-time-tests
  * debian/copyright: Update debian/ copyright information

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 15 Mar 2024 16:43:24 +0200

dotnet6 (6.0.128-0ubuntu1~22.04.1) jammy; urgency=medium

  * New upstream release (LP: #2057699)
  * debian/tests:
    - Replaced autopkgtest suite with debian/tests/regular-tests
    - Added debian/tests/build-time-tests
  * debian/rules: Added override_dh_auto_test; runs d/t/build-time-tests
  * debian/eng: Added directory for scripts & libraries used within the package:
    - Added debian/eng/test-runner (runs debian/tests/regular-tests).
    - Added debian/eng/versionlib (.NET version parsing library; used by
      debian/tests/build-time-tests).
    - Added debian/eng/strenum; needed by debian/eng/versionlib
    - Moved debian/failing-watchfile-script.sh and build-dotnet-tarball.sh to
      debian/eng
  * debian/source/include-binaries: includes a certificate needed by
    debian/tests/regular-tests/libuv-kestrel-sample-app-2x

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 11 Mar 2024 23:54:20 +0200

dotnet6 (6.0.127-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2024-21386: denial of service vector in SignalR server.
  * SECURITY UPDATE: denial of service
    - CVE-2024-21404: .NET with OpenSSL support is vulnerable to a denial of
      service when parsing X509 certificates.

 -- Nishit Majithia <nishit.majithia@canonical.com>  Fri, 09 Feb 2024 10:40:34 +0530

dotnet6 (6.0.126-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: validation bypass
    - CVE-2024-0057: X509 Certificates - Validation Bypass across Azure
  * SECURITY UPDATE: denial of service
    - CVE-2024-21319: Azure Identity - Pre-Authentication DoS in JWT

 -- Nishit Majithia <nishit.majithia@canonical.com>  Thu, 04 Jan 2024 10:00:44 +0530

dotnet6 (6.0.125-0ubuntu1~22.04.1) jammy-security; urgency=medium

  [ Nishit Majithia ]
  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2023-36558: Security Feature Bypass in Blazor forms
  * SECURITY UPDATE: Arbitrary File Write and Deletion
    - CVE-2023-36049: Microsoft .NET FormatFtpCommand CRLF Injection
      Arbitrary File Write and Deletion

 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 13 Nov 2023 15:37:51 +0200

dotnet6 (6.0.124-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release
  * SECURITY REGRESSION: regression update (LP: #2040207)
    - Addresses a regression previously introduced by the fix for
      CVE-2023-36799

 -- Nishit Majithia <nishit.majithia@canonical.com>  Mon, 23 Oct 2023 11:41:09 +0530

dotnet6 (6.0.123-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2023-44487: Denial of service - Kestrel server.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 04 Oct 2023 23:02:16 +0300

dotnet6 (6.0.122-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2023-36799: A vulnerability exists in .NET when processing X.509
      certificates that may result in Denial of Service.
  * debian/tests/cli-metadata-should-be-correct: updated regex for the Host
    Runtime Version check.

 -- Nishit Majithia <nishit.majithia@canonical.com>  Tue, 05 Sep 2023 09:31:21 +0530

dotnet6 (6.0.121-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-35390: When running some dotnet commands(e.g. dotnet help
      add), dotnet attempts to locate and initiate a new process using
      cmd.exe. However, it prioritizes searching for cmd.exe in the current
      working directory (CWD) before checking other locations. This can
      potentially lead to the execution of malicious code.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38178: ASP.NET Kestrel stream flow control issue causing a
      leak. A malicious QUIC client, that fires off many unidirectional
      streams with closed writing sides. This will bypass the HTTP/3 stream
      limit and Kestrel cannot keep up with stream processing.
  * SECURITY UPDATE: denial of service
    - CVE-2023-38180: Kestrel vulnerability to slow read attacks

  [ Dominik Viererbe ]
  * d/README.source: updated content
    * added support documentation
    * added end of life process documentation
    * general overhaul
  * d/dotnet.sh.in: DOTNET_ROOT was unnecessarily set (LP: #2027620)
  * d/t/essential-binaries-and-config-files-should-be-present:
    remove check if DOTNET_ROOT is set
  * d/watch
    * updated matching-pattern to only match 6.0.1XX releases
    * d/watch file will fail now deliberately. See comment in d/watch
      for more information
  * unify d/repack-dotnet-tarball.sh into d/build-dotnet-tarball.sh and
    updated command line interface

 -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 02 Aug 2023 10:42:58 +0530

dotnet6 (6.0.120-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: security feature bypass
    - CVE-2023-33170: Race Condition in ASP.NET Core SignInManager<TUser>
      PasswordSignInAsync Method
  * debian/tests/control: enabled test dotnet-runtime-json-contains-ubuntu-rids
  * debian/tests/.tests.rc.d/init.sh: fixed parsing error of runtime revision number

 -- Nishit Majithia <nishit.majithia@canonical.com>  Wed, 05 Jul 2023 08:42:18 +0530

dotnet6 (6.0.119-0ubuntu1~22.04.1) jammy-security; urgency=medium

  [ Dominik Viererbe ]
  * New upstream release.
    - Fixes regression that was introduced with the bugfix for CVE-2023-29331:
      Loading null-password-encrypted PFX certificates through .NET can fail
      unexpectedly for certificates that previously loaded successfully.

 -- Nishit Majithia <nishit.majithia@canonical.com>  Thu, 22 Jun 2023 14:05:30 +0530

dotnet6 (6.0.118-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2023-24936: Bypass restrictions when deserializing a DataSet or
      DataTable from XML.
  * SECURITY UPDATE: denial of service
    - CVE-2023-29331: When a .NET application is internet-facing and accepts
      an X509 client certificate for mutual TLS, a malicious client certificate
      can cause unbounded CPU usage.
  * SECURITY UPDATE: remote code exection
    - CVE-2023-29337: A vulnerability exists in NuGet where a potential race
      condition can lead to a symlink attack.
  * SECURITY UPDATE: remote code execution
    - CVE-2023-33128: An issue in source generators can lead to a crash due to
      unmanaged heap corruption.
  * debian/patches/add-kinetic-rids.patch: removed due to inclusion upstream.

  [ Dominik Viererbe ]
  * d/t: extended autopkgtest:
    * essential-binaries-and-config-files-should-be-present
    * cli-metadata-should-be-correct
    * global-json-should-be-detected
    * console-template-should-build-and-run
    * dotnet-help-should-show-output
    * dotnet-project-management-cli-should-work
    * example-fsharp-script-output-should-equal-expected-values
    * building-hello-world-for-all-supported-rids-should-work
    * dotnet-xunit-tests-should-work
    * nuget-cli-should-be-able-to-consume-packages-from-nuget-gallery
    * crossbuild-for-windows-x64-should-run
    * dotnet6-and-dotnet7-should-work-together

 -- Ian Constantin <ian.constantin@canonical.com>  Fri, 02 Jun 2023 17:59:27 +0300

dotnet6 (6.0.116-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2023-28260: AzureDevOps Elevation of Privilege - Dotnet CWD dll
      hijack vuln.

 -- Ian Constantin <ian.constantin@canonical.com>  Wed, 05 Apr 2023 16:00:50 +0300

dotnet6 (6.0.115-0ubuntu2~22.04.1) jammy; urgency=medium

  * Backport dotnet 6.0.115 to jammy (LP: #2011807).
    - debian/control: revert to libicu70

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 22 Mar 2023 13:07:20 +0200

dotnet6 (6.0.115-0ubuntu2) lunar; urgency=medium

  * d/p/add-kinetic-rids.patch: Added RIDs for ubuntu 22.10 kinetic.
    - Based on the dropped d/p/66225runtime-fix-runtime-id.patch
      from wfurt <tweinfurt@yahoo.com>.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 21 Mar 2023 19:58:57 +0200

dotnet6 (6.0.115-0ubuntu1) lunar; urgency=medium

  * New upstream microrelease.
  * d/p/66225runtime-fix-runtime-id.patch: Dropped.

 -- Miriam España Acebal <miriam.espana@canonical.com>  Fri, 10 Mar 2023 13:02:43 +0100

dotnet6 (6.0.114-0ubuntu1) lunar; urgency=medium

  * New upstream microrelease.
  * d/control: Using libicu72.
  * d/p/1501sdk-22373-portablerid.patch: Dropped.
  * d/repack-dotnet-tarball.sh: New file. Repack MS tarball.
  * d/rules: if-else for bootstrapping building versus normal one (as done
    for dotnet7). Reenabling install_location file per architecture. Removing
    unused commented lines for clarity.
  * d/tests: Updating these to match the style of those in dotnet7.

 -- Miriam España Acebal <miriam.espana@canonical.com>  Thu, 09 Mar 2023 12:15:50 +0100

dotnet6 (6.0.113-0ubuntu2) lunar; urgency=medium

  * Rebuild against latest icu

 -- Jeremy Bicha <jbicha@ubuntu.com>  Sat, 04 Feb 2023 10:32:29 -0500

dotnet6 (6.0.113-0ubuntu1) lunar; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2023-21538: Parsing an empty HTTP response as a JSON.NET JObject
      causes a stack overflow and crashes a process.

 -- Ian Constantin <ian.constantin@canonical.com>  Thu, 05 Jan 2023 10:29:20 +0200

dotnet6 (6.0.112-0ubuntu1) lunar; urgency=medium

  * New upstream release (LP: #1999549).
  * d/p/series: Removing patch
    73065-runtime-fix-definition-cpuid-clang-15.patch.
  * d/dotnet-host.install.in: Fix destination of install_location*
    files (LP: #1999266).
  * d/dotnet.sh.in: Eliminate the condition to force updating of
    DOTNET_ROOT variable (LP: #1997746).

 -- Miriam España Acebal <miriam.espana@canonical.com>  Tue, 13 Dec 2022 11:03:19 +0100

dotnet6 (6.0.111-0ubuntu3) lunar; urgency=medium

  * Don't remove the --with-sdk option, this is supposed to be there.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 17 Nov 2022 20:57:19 +0000

dotnet6 (6.0.111-0ubuntu2) lunar; urgency=medium

  * Packaging fixups to fix ftbfs against existing 6.0.110.
  * Refresh debian/patches/66225runtime-fix-runtime-id.patch for lunar.

 -- Steve Langasek <steve.langasek@ubuntu.com>  Thu, 17 Nov 2022 19:44:47 +0000

dotnet6 (6.0.111-0ubuntu1) lunar; urgency=medium

  * New upstream release.
  * d/build-dotnet-tarball-sh: No removing libunwind needed by arm64.
  * d/control: building for arm64 too.
  * d/copyright: Non excluding libunwind needed by arm64..
  * d/dotnet-host.install.in: Removing manpages and bash-completion.
  * d/dotnet-host.links.in: New file for dotnet binary.
  * d/dotnet-host.preinst: New file for removing alternatives.
  * d/dotnet-host.manpages : New file.
  * d/dotnet-host.lintian-overrides: New file for man page warnings
    that are being fixed in upstream.
  * d/p/remove-libunwind-build.patch : Modified to apply depending
    on architecture.
  * d/rules:
    + DOTNETLIBDIR is now only DOTNET_TOP
    + Adding --with bash-completion
    + Eliminating dependants creation for alternatives.
    + Eliminating manual installation of man pages.
    (LP: #1996499)

 -- Miriam España Acebal <miriam.espana@canonical.com>  Mon, 31 Oct 2022 14:32:47 +0200

dotnet6 (6.0.110-0ubuntu1) kinetic; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: cache poisoning
    - CVE-2022-41032: Nuget cache poisoning via world-writable cache directory.

  [ Miriam España Acebal ]
  * d/rules: _minor_sdk_version calculation updated to parse last two digits.
  * d/p/10199-arcade-add-clang-15-autodetection.patch
    and d/p/73065-runtime-fix-definition-cpuid-clang-15.patch: New
    patches for avoiding FTBFS when using clang-15 on amd64 architectures.

 -- Ian Constantin <ian.constantin@canonical.com>  Tue, 11 Oct 2022 11:11:12 -0400

dotnet6 (6.0.109-0ubuntu1) kinetic; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: denial of service
    - CVE-2022-38013: ASP.NET Core MVC vulnerable to stack overflow via
      ModelStateDictionary recursion.
  * d/control: removed the libunwind-13 dependency for dotnet-runtime-6.0
    (LP: 1984450)
  * d/README.source: updated with info regarding private repo use.

 -- Ian Constantin <ian.constantin@canonical.com>  Mon, 12 Sep 2022 17:59:11 -0400

dotnet6 (6.0.108-0ubuntu1) kinetic; urgency=medium

  * New upstream release.
  * SECURITY UPDATE
    - CVE-2022-34716: External Entity Injection during XML signature
      verification

 -- Miriam España Acebal <miriam.espana@canonical.com>  Thu, 04 Aug 2022 11:00:57 +0200

dotnet6 (6.0.107-0ubuntu2) kinetic; urgency=medium

  * d/copyright: Removing references to licenses for excluded
    libunwind vendorized code.
  * d/dotnet-host.bash-completion.in: Fixed path.
  * d/s/lintian-overrides: Fixing new format for lintian output.
    Added some new overrides for code shipped in the new tarball.

  [ Jesús Soto ]
  * d/copyright: Added vendorized libunwind code to Files-Excludes.

 -- Miriam España Acebal <miriam.espana@canonical.com>  Tue, 26 Jul 2022 11:17:40 +0200

dotnet6 (6.0.107-0ubuntu1) kinetic; urgency=medium

  * New upstream version.
  * d/copyright: Added Files-Excluded stanza.
  * d/rules: Got the minor version for the SDK and apply it to the
    Priority on alternatives too.
  * d/build-dotnet-tarball.sh: Changed it to work with embargoed repo
    (new logic).
  * d/watch: Added commented part to work without script with a public
    monorepo. Added template/example/invalid parameter for the script.
  * d/README.source: Reflects now the new origtarball building,
    remove text about aggregated repositories building and not use
    of the d/p/series file.

  [ Jesús Soto ]
  * d/p/remove-libunwind-build.patch: Adapt CMakeLists.txt for use
    system libunwind instead of vendorized code.
  * d/p/series: Added above patch.
  * d/control: Added libunwind-dev to build dependencies and
    libunwind-13 as dotnet-runtime-6.0 dependency.
  * d/copyright: Added list of precompiled binaries files not used
    in building.

 -- Miriam España Acebal <miriam.espana@canonical.com>  Fri, 22 Jul 2022 13:41:58 +0200

dotnet6 (6.0.106-0ubuntu2) kinetic; urgency=medium

  * dotnet-runtime-6.0: bump dependency on libicu70 ->
    libicu71 for the ICU transition
  * dotnet-runtime-6.0: drop dependency on libunwind-13,
    we currently use the vendored copy of libunwind

 -- Graham Inggs <ginggs@ubuntu.com>  Thu, 30 Jun 2022 09:36:29 +0000

dotnet6 (6.0.106-0ubuntu1) kinetic; urgency=medium

  * Initial Release (LP: #1979414)

  [ Steve Langasek ]
  * Adjustments to debian/copyright declarations based on Ubuntu NEW review.

 -- Miriam España Acebal <miriam.espana@canonical.com>  Wed, 22 Jun 2022 13:22:15 +0200
