[Bug 2060261] Re: [SRU] New upstream microrelease .NET 8.0.4 and SDK 8.0.104

Launchpad Bug Tracker 2060261 at bugs.launchpad.net
Wed May 15 13:16:00 UTC 2024 

This bug was fixed in the package dotnet8 -
8.0.105-8.0.5-0ubuntu1~23.10.1

---------------
dotnet8 (8.0.105-8.0.5-0ubuntu1~23.10.1) mantic-security; urgency=medium

  * New upstream release
  * SECURITY UPDATE: stack buffer overflow
    - CVE-2024-30045: a stack based buffer overflow in the .NET Double Parse
      routine allows for remote code execution.
  * SECURITY UPDATE: resource dead-lock
    - CVE-2024-30046: a dead-lock in Http2OutputProducer.Stop() results in a
      denial of service.

 -- Ian Constantin <ian.constantin at canonical.com>  Thu, 09 May 2024
17:16:34 +0300

** Changed in: dotnet8 (Ubuntu Mantic)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-30045

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-30046

** Changed in: dotnet8 (Ubuntu Jammy)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet8 in Ubuntu.
https://bugs.launchpad.net/bugs/2060261

Title:
  [SRU] New upstream microrelease .NET 8.0.4 and SDK 8.0.104

Status in dotnet8 package in Ubuntu:
  Fix Released
Status in dotnet8 source package in Jammy:
  Fix Released
Status in dotnet8 source package in Mantic:
  Fix Released
Status in dotnet8 source package in Noble:
  Fix Released

Bug description:
  [Impact]

   * This correspond to an upcoming upstream microrelease (Microsoft
  Patch Tuesday microrelease).

   * It is beneficial for our latest LTS users to have access to the
  latest .NET stack.

   * This update is bundled with minor fixes:
     - updates Canonical support information
     - fixes/adds version parsing edge cases

  [Test Case]

   * The package should build successfully in noble-proposed, mantic-
  proposed and jammy-proposed.

   * The packages should be installable on noble, mantic and jammy
     on amd64 and arm64 architectures.

   * Autopackage tests should pass.

   * The usual manual tests that have been seen in the previous microreleases
     LP: #2057982 (see Test Case section there).

     Note: The need for manual testing is largely reduced since the last SRU,
           because the autopkgtests improvements far exceeds the coverage
           provided by the mentioned manual test plans.

  [Regression Potential]

   * Upstream tests are usually satisfactory, but there is always a risk
  of something breaking.

  [Other]

  * 8.0.4 is the version number of the .NET Runtime and 8.0.104 is the version
    number of the .NET SDK. The package version only refers to the SDK version
    number.

  * We are only building the 8.0.1xx feature band, because this is the only
    feature band that allows to be build from source. See explanation of feature
    bands: https://learn.microsoft.com/en-us/dotnet/core/releases-and-support#feature-bands-sdk-only

  * Overview of how dotnet is versioned: https://learn.microsoft.com/en-
  us/dotnet/core/versions/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet8/+bug/2060261/+subscriptions

More information about the foundations-bugs mailing list