[Bug 2138378] Re: New upstream microrelease .NET 10.0.102/10.0.2

Launchpad Bug Tracker 2138378 at bugs.launchpad.net
Mon Feb 16 08:31:38 UTC 2026 

This bug was fixed in the package dotnet10 -
10.0.103-10.0.3-0ubuntu1~24.04.1

---------------
dotnet10 (10.0.103-10.0.3-0ubuntu1~24.04.1) noble; urgency=medium

  * New upstream release
  * SECURITY UPDATE: security feature bypass
    - CVE-2026-21218: An attacker could exploit this vulnerability in
      System.Security.Cryptography.Cose by crafting a malicious payload that
      bypasses the security checks in the affected .NET versions, potentially
      leading to unauthorized access or data manipulation.

 -- Mateus Rodrigues de Morais <mateus.morais at canonical.com>  Mon, 02
Feb 2026 17:30:30 -0300

** Changed in: dotnet10 (Ubuntu Noble)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dotnet10 in Ubuntu.
https://bugs.launchpad.net/bugs/2138378

Title:
  New upstream microrelease .NET 10.0.102/10.0.2

Status in dotnet10 package in Ubuntu:
  Fix Released
Status in dotnet10 source package in Noble:
  Fix Released
Status in dotnet10 source package in Questing:
  Fix Released
Status in dotnet10 source package in Resolute:
  Fix Released

Bug description:
  This is the tracking bug for the .NET 10 January 2026 servicing
  release.

  [Impact]

   * This corresponds to an upstream microrelease released on January 13th, 2026. See also:
     - release announcement: https://github.com/dotnet/source-build/discussions/5462
     - .NET 10.0.2 Runtime release notes: https://github.com/dotnet/core/blob/main/release-notes/10.0/10.0.2/10.0.2.md

   * It is beneficial for all our users (including LTS users) to have
  access to the latest .NET stack.

  [Test Case]

   * The package should build successfully in -proposed (respectively).

   * The packages should be installable on noble and questing on
     amd64, arm64, s390x and ppc64el architectures.

   * Autopackage tests should pass.

  [Regression Potential]

   * The dotnet10 package has no reverse dependencies.

   * The upstream testing routine is usually satisfactory (see for
  example Microsoft's public Azure Pipeline for .NET related
  repositories: https://dev.azure.com/dnceng-public/public/_build), but
  there is always a risk of something breaking.

  [Other]

  * The tarball originated from here:
  https://github.com/canonical/dotnet-source-
  build/actions/runs/20997614259

  * 10.0.2 is the version number of the .NET Runtime and 10.0.102 is the version
    number of the .NET SDK.

  * We are only building the 10.0.1xx feature band, because this is the only
    feature band that allows building from source. See explanation of feature
    bands: https://learn.microsoft.com/en-us/dotnet/core/releases-and-support#feature-bands-sdk-only

  * Overview of how dotnet is versioned: https://learn.microsoft.com/en-
  us/dotnet/core/versions/

  * PPA for review: https://launchpad.net/~mateus-
  morais/+archive/ubuntu/dotnet10-servicing-jan-2026/+packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet10/+bug/2138378/+subscriptions

More information about the foundations-bugs mailing list