[Bug 2094271] Re: [SRU] New upstream microrelease .NET 9.0.102/9.0.1

Thu, 16 Jan 2025 03:20:56 -0800 

This bug was fixed in the package dotnet9 -
9.0.102-9.0.1-0ubuntu1~24.10.1

---------------
dotnet9 (9.0.102-9.0.1-0ubuntu1~24.10.1) oracular; urgency=medium

  * New upstream release (LP: #2094271).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21171: Buffer overrun in Convert.TryToHexString. An attacker
      could exploit this vulnerability by sending a specially crafted request
      to the vulnerable web server.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21172: An integer overflow in msdia140.dll leads to heap-based
      buffer overflow, leading to possible RCE. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21176: Insufficient input data validation leads to heap-based
      buffer overflow in msdia140.dll. An attacker could exploit this
      vulnerability by loading a specially crafted file in Visual Studio.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * d/patches: Renamed patch files to uniquely identify patches among all
    dotnet* source packages.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * d/copyright, d/source/lintian-overrides.dotnet9: Fixed
    superfluous-file-pattern warning for debian/eng/strenum,
    debian/eng/test-runner and debian/tests/regular-tests.
  * d/tests/build-time-tests/tests.py: Fixed crash when running for net8.0.
  * d/eng/dotnet-version.py, d/eng/versionlib/dotnet.py:
    Refactored deb version handling of irregular past releases.

 -- Dominik Viererbe <dominik.viere...@canonical.com>  Wed, 15 Jan 2025
20:11:26 +0200

** Changed in: dotnet9 (Ubuntu Oracular)
       Status: In Progress => Fix Released

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21171

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21172

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21173

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2025-21176

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2094271

Title:
  [SRU] New upstream microrelease .NET 9.0.102/9.0.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dotnet9/+bug/2094271/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to