Ubuntu
dotnet6 package

[SRU] backport dotnet 6.0.115 to kinetic and jammy

Bug #2011807 reported by Dominik Viererbe
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dotnet6 (Ubuntu)
Fix Released
Undecided
Dominik Viererbe
Jammy
Fix Released
Undecided
Dominik Viererbe
Kinetic
Fix Released
Undecided
Dominik Viererbe

Bug Description

[Impact]

 * This correspond to an upstream microrelease (Microsoft Patch Tuesday microrelease). See: https://devblogs.microsoft.com/dotnet/march-2023-updates/

 * It is beneficial for our latest LTS users to have access to the latest .NET stack.

[Test Case]

 * The package should build successfully in kinetic-proposed and jammy-proposed.

 * The packages should be installable on kinetic and jammy on amd64 and arm64 architectures.

 * Autopackage tests should pass.

 * The usual manual tests that have been seen in the previous microreleases [1] [2] (see Test Case section there).

[Regression Potential]

 * Upstream tests are usually satisfactory, but there is always a risk of something breaking.

 * If the solution would not be well implemented, the dotnet-host binary will be unable to recognize the SDKs installed and all the other shared files (templates, packs, etc...).

[Other]

* Although the dotnet SDK 6.0.115 is part of the dotnet 6.0.15 release we refer to the release as 6.0.115, because source build only supports the 6.0.1xx feature band. (See https://github.com/dotnet/source-build#support)

* Explanation of feature bands: https://learn.microsoft.com/en-us/dotnet/core/releases-and-support#feature-bands-sdk-only

* Overview of how dotnet is versioned: https://learn.microsoft.com/en-us/dotnet/core/versions/

[1] https://launchpad.net/bugs/1996499
[2] https://launchpad.net/bugs/1983380

See original description

CVE References

Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu):
assignee: nobody → Dominik Viererbe (dviererbe)
Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu Jammy):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu Kinetic):
assignee: nobody → Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu):
status: New → In Progress
Changed in dotnet6 (Ubuntu Jammy):
status: New → In Progress
Changed in dotnet6 (Ubuntu Kinetic):
status: New → In Progress
Dominik Viererbe (dviererbe)
description: updated
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

I did some basic dogfooding testing with dotnet 6.0.115:
 - on amd64 with kinetic
 - on amd64 with jammy
 - on arm64 with kinetic
 - on arm64 with jammy

Behaved as expected.

Also worked with the dotnet 7.0.104 SRU (LP: #2011809)

PPAs:
- https://launchpad.net/~dviererbe/+archive/ubuntu/dotnet6-0-115-backport-jammy
- https://launchpad.net/~dviererbe/+archive/ubuntu/dotnet6-0-115-backport-kinetic

Dominik Viererbe (dviererbe)
Changed in dotnet6 (Ubuntu):
status: In Progress → Fix Committed
Changed in dotnet6 (Ubuntu Jammy):
status: In Progress → Fix Committed
Changed in dotnet6 (Ubuntu Kinetic):
status: In Progress → Fix Committed
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

I had to rebuild the backports, because the previous builds used dotnet6.0.113 dependencies and the kinetic RIDs had been missing.

The kinetic builds can be found here: https://launchpad.net/~dviererbe/+archive/ubuntu/dotnet6-0-115-kinetic and the jammy backports can be found here: https://launchpad.net/~dviererbe/+archive/ubuntu/dotnet6-0-115-jammy

Manual Testing was as expected. They are currently in review.

Revision history for this message
Graham Inggs (ginggs) wrote :

Uploaded to kinetic with minor changes

Revision history for this message
Graham Inggs (ginggs) wrote :

Uploaded to jammy with minor changes

Ubuntu Foundations Team Bug Bot (crichton)
tags: added: patch
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Dominik, or anyone else affected,

Accepted dotnet6 into kinetic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dotnet6/6.0.115-0ubuntu2~22.10.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-kinetic to verification-done-kinetic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-kinetic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed verification-needed-kinetic
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Hello Dominik, or anyone else affected,

Accepted dotnet6 into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/dotnet6/6.0.115-0ubuntu2~22.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

tags: added: verification-needed-jammy
Revision history for this message
Dominik Viererbe (dviererbe) wrote :

Hello Łukasz,

I verified the dotnet6 packages in the jammy-proposed (6.0.115-0ubuntu2~22.04.1) and kinetic-proposed (6.0.115-0ubuntu2~22.10.1) pockets on amd64 and arm64 architectures by running the specified manual tests. The manual tests behaved as expected.

Thanks again for doing the review, before the Pulse ended!

tags: added: verification-done-jammy verification-done-kinetic
removed: verification-needed verification-needed-jammy verification-needed-kinetic
Miriam España Acebal (mirespace)
tags: added: verification-done
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.116-0ubuntu1~22.04.1

---------------
dotnet6 (6.0.116-0ubuntu1~22.04.1) jammy-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2023-28260: AzureDevOps Elevation of Privilege - Dotnet CWD dll
      hijack vuln.

 -- Ian Constantin <email address hidden> Wed, 05 Apr 2023 16:00:50 +0300

Changed in dotnet6 (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet6 - 6.0.116-0ubuntu1~22.10.1

---------------
dotnet6 (6.0.116-0ubuntu1~22.10.1) kinetic-security; urgency=medium

  * New upstream release.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2023-28260: AzureDevOps Elevation of Privilege - Dotnet CWD dll
      hijack vuln.

 -- Ian Constantin <email address hidden> Wed, 05 Apr 2023 16:09:08 +0300

Changed in dotnet6 (Ubuntu Kinetic):
status: Fix Committed → Fix Released
Miriam España Acebal (mirespace)
Changed in dotnet6 (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.