New upstream microrelease .NET 9.0 final release

Bug #2087880 reported by Dominik Viererbe
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
dotnet9 (Ubuntu)
Status tracked in Plucky
Oracular
Fix Released
High
Dominik Viererbe
Plucky
Fix Released
High
Dominik Viererbe

Bug Description

This is the tracking bug for the .NET 9.0 final release.

CVE References

Changed in dotnet9 (Ubuntu Oracular):
status: New → In Progress
assignee: nobody → Dominik Viererbe (dviererbe)
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet9 - 9.0.100-9.0.0-0ubuntu1~24.10.1

---------------
dotnet9 (9.0.100-9.0.0-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2087880)
  * SECURITY UPDATE: privilege escalation
    - CVE-2024-43498: an authenticated attacker could create a malicious
      extension and then wait for an authenticated user to create a new Visual
      Studio project that uses that extension. The result is that the attacker
      could gain the privileges of the user.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43499: a remote unauthenticated attacker could exploit this
      vulnerability by sending specially crafted requests to a .NET vulnerable
      webapp or loading a specially crafted file into a vulnerable desktop app.
  * debian/rules, debian/eng/source_build_artifact_path.py: temporarily disable
    strict RID matching to solve build issue on plucky due to binary copying
    during archive opening.
  * debian/eng/dotnet-version.py: temporarily add '-rtm' to
    DOTNET_DEB_VERSION_RUNTIME_ONLY and DOTNET_DEB_VERSION_SDK_ONLY to fix
    version ordering issue with final release.

 -- Dominik Viererbe <email address hidden> Fri, 08 Nov 2024 18:16:21 +0200

Changed in dotnet9 (Ubuntu Oracular):
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package dotnet9 - 9.0.100-9.0.0-0ubuntu1

---------------
dotnet9 (9.0.100-9.0.0-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2087880)
  * SECURITY UPDATE: privilege escalation
    - CVE-2024-43498: an authenticated attacker could create a malicious
      extension and then wait for an authenticated user to create a new Visual
      Studio project that uses that extension. The result is that the attacker
      could gain the privileges of the user.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43499: a remote unauthenticated attacker could exploit this
      vulnerability by sending specially crafted requests to a .NET vulnerable
      webapp or loading a specially crafted file into a vulnerable desktop app.
  * debian/rules, debian/eng/source_build_artifact_path.py: temporarily disable
    strict RID matching to solve build issue on plucky due to binary copying
    during archive opening.
  * debian/eng/dotnet-version.py: temporarily add '-rtm' to
    DOTNET_DEB_VERSION_RUNTIME_ONLY and DOTNET_DEB_VERSION_SDK_ONLY to fix
    version ordering issue with final release.

 -- Dominik Viererbe <email address hidden> Fri, 08 Nov 2024 18:16:21 +0200

Changed in dotnet9 (Ubuntu Plucky):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.