dotnet9 (9.0.110-9.0.9-0ubuntu1) questing; urgency=medium

  * New upstream release (LP: #2122355)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 08 Sep 2025 20:43:17 +0300

dotnet9 (9.0.109-9.0.8-0ubuntu1) questing; urgency=medium

  * New upstream release (LP: #2119538)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 05 Aug 2025 16:36:57 +0300

dotnet9 (9.0.108-9.0.7-0ubuntu1) questing; urgency=medium

  * New upstream release (LP: #2115830)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 02 Jul 2025 16:38:30 +0300

dotnet9 (9.0.107-9.0.6-0ubuntu1) questing; urgency=medium

  * New upstream release
  * SECURITY UPDATE: remote code execution
    - CVE-2025-30399: DLL Hijacking Remote Code Execution Vulnerability.
      When using the Download File task in Microsoft.NETCore.App.Runtime,
      omitting the DestinationFileName in the task invocation may expose
      users to remote file hijacking if the server is malicious. 

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 09 Jun 2025 12:16:30 +0300

dotnet9 (9.0.106-9.0.5-0ubuntu1) questing; urgency=medium

  * New upstream release
  * SECURITY UPDATE: spoofing vulnerability
    - CVE-2025-26646: .NET and Visual Studio Spoofing Vulnerability
  * Remove strict bootstrapping artifact RID matching. Strict matching caused
    issues during bootstrapping of .NET for a new Ubuntu series, because it
    was build with the binary artifact of the previous series, which caused
    the RIDs not to match. (LP: #2110033) Affected files:
    - debian/rules
    - debian/eng/source_build_artifact_path.py
    - debian/tests/build-time-tests/tests.py

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 06 May 2025 13:59:06 +0300

dotnet9 (9.0.105-9.0.4-0ubuntu1) plucky; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 04 Apr 2025 12:32:57 +0300

dotnet9 (9.0.104-9.0.3-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2101029)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Recommends dotnet-sdk-aot-9.0 from dotnet9 to dotnet-sdk-9.0
    - moved Suggests dotnet-runtime-dbg-9.0 from dotnet9 to dotnet-runtime-9.0
    - moved Suggests aspnetcore-runtime-dbg-9.0 from dotnet9 to aspnetcore-runtime-9.0
    - moved Suggests dotnet-sdk-dbg-9.0 from dotnet9 to dotnet-sdk-9.0
  * refreshed d/p/0005-fix-clang20-build.patch to ab style patch

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Thu, 06 Mar 2025 11:24:30 +0200

dotnet9 (9.0.103-9.0.2-0ubuntu2) plucky; urgency=medium

  * d/p/0004-fix-clang20-build.patch: Fix FTBFS with clang 20 (LP: #2099720).
  * d/eng/test-runner/Turkey: Removed unnecessary obj directory.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Sat, 22 Feb 2025 15:48:43 -0300

dotnet9 (9.0.103-9.0.2-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2097012)
  * Updated security information of last changelog with latest information from
    upstream maintainers.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 10 Feb 2025 20:56:02 +0200

dotnet9 (9.0.102-9.0.1-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2094271).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21171: Buffer overrun in Convert.TryToHexString. An attacker
      could exploit this vulnerability by sending a specially crafted request
      to the vulnerable web server.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * d/patches: Renamed patch files to uniquely identify patches among all
    dotnet* source packages.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * d/copyright, d/source/lintian-overrides.dotnet9: Fixed
    superfluous-file-pattern warning for debian/eng/strenum,
    debian/eng/test-runner and debian/tests/regular-tests.
  * d/tests/build-time-tests/tests.py: Fixed crash when running for net8.0.
  * d/eng/dotnet-version.py, d/eng/versionlib/dotnet.py:
    Refactored deb version handling of irregular past releases.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 14 Jan 2025 00:10:52 +0200

dotnet9 (9.0.101-9.0.0-0ubuntu2) plucky; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 05 Jan 2025 20:28:20 +0100

dotnet9 (9.0.101-9.0.0-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2091009)
  * debian/rules, debian/eng/source_build_artifact_path.py: re-enable strict
    RID matching of last release.
  * debian/eng/dotnet-version.py: 
    - remove temporarily added '-rtm' to DOTNET_DEB_VERSION_SDK_ONLY due
      to higher SDK version number.
    - temporarily added '+build1' to DOTNET_DEB_VERSION_RUNTIME_ONLY to comply
      with FO127 due to same runtime version number compared to last upstream
      release.
  * disable 'host-probes-rid-assets-legacy' test: this test fails and fixing
    would require patching the legacy RID graph which we decided to no longer
    maintain.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 04 Dec 2024 16:03:57 +0200

dotnet9 (9.0.100-9.0.0-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2087880)
  * SECURITY UPDATE: privilege escalation
    - CVE-2024-43498: an authenticated attacker could create a malicious
      extension and then wait for an authenticated user to create a new Visual
      Studio project that uses that extension. The result is that the attacker
      could gain the privileges of the user.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43499: a remote unauthenticated attacker could exploit this
      vulnerability by sending specially crafted requests to a .NET vulnerable
      webapp or loading a specially crafted file into a vulnerable desktop app.
  * debian/rules, debian/eng/source_build_artifact_path.py: temporarily disable
    strict RID matching to solve build issue on plucky due to binary copying
    during archive opening.
  * debian/eng/dotnet-version.py: temporarily add '-rtm' to
    DOTNET_DEB_VERSION_RUNTIME_ONLY and DOTNET_DEB_VERSION_SDK_ONLY to fix
    version ordering issue with final release.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 08 Nov 2024 18:16:21 +0200

dotnet9 (9.0.100-9.0.0~rc2-0ubuntu1) oracular; urgency=medium

   * New upstream release (LP: #2083883)
   * dropped d/p/0003-use-system-brotli-on-unix-non-portable-builds.patch and
     d/p/0004-use-consistent-shift-instruction.patch:
     Included with new upstream release.
   * d/rules: Fixed missing definition of substitution variable ${libicu:Depends}
     (used to be defined in d/substvars file, but buildlog indicated that this is
     not used by dh_gencontrol).
   * d/t/build-time-tests/test.py: Fixed falsely reported test failure due to new
                                   'dotnet run' CLI design.
   * d/control:
     - Moved dotnet-sdk-aot-9.0 to Recommends from Suggests
       for dotnet9 virtual package.
     - Added dotnet-sdk-dbg-9.0, dotnet-runtime-dbg-9.0,
       aspnetcore-runtime-dbg-9.0 to Suggests for dotnet9 virtual package.
     - Fixed descriptions with invalid control statements
       (lines containing a space, a full stop and some more characters)
       to comply with Section 5.6.13 in the Debian Policy Manual.
   * d/copyright:
     - Contained full Apache-2.0 and LGPL-2.1 license text; referred to
       /usr/share/common-licenses instead.
     - Removed references to files no longer present in new upstream release
       sources.
   * d/aspnetcore-runtime-9.0.docs, d/dotnet-sdk-9.0.docs: Included
     src/razor/NOTICE.txt in package to comply with Apache-2.0
     paragraph 4 section (d).
   * d/source/lintian-overrides:
     - Adjust source-is-missing and source-contains-prebuilt-javascript-object
       overrides due to file changes caused by the new upstream release.
     - Add hyphen-in-upstream-part-of-debian-changelog-version override:
       Canonical Specification FO127 mandates a hyphen in the upstream part of
       the Debian changelog version.
   * d/aspnetcore-targeting-pack-9.0.lintian-overrides,
     d/dotnet-sdk-9.0.lintian-overrides,
     d/dotnet-sdk-dbg-9.0.lintian-overrides,
     d/dotnet-targeting-pack-9.0.lintian-overrides:
     Ignore repeated-path-segment warnings, as these repetitions are intended.
   * d/aspnetcore-targeting-pack-9.0.lintian-overrides:
     ignore package-has-long-file-name warnings

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 07 Oct 2024 13:42:57 +0000

dotnet9 (9.0.100-9.0.0~rc1-0ubuntu2) oracular; urgency=medium

  * d/rules: tweaks for s390x and ppc64el builds.
    - Explicit usage of the --with-sdk build argument when bootstrapping.
    - Added the --use-mono-runtime flag based on the DOTNET_USE_MONO_RUNTIME
      variable.
    - Conditional dh_gencontrol override for dotnet-sdk-aot-9.0 binary package
      based on the DOTNET_BUILD_AOT_BINARY_PACKAGE variable.
    - Added the --with-system-libs build argument based on the several
      DOTNET_USE_SYSTEM_* library specifier variables.
  * d/eng/dotnet-pkg-info.mk: defined the DOTNET_BUILD_AOT_BINARY_PACKAGE,
    DOTNET_USE_MONO_RUNTIME, and DOTNET_USE_SYSTEM_* variables.
  * d/control: tweaks for s390x and ppc64el builds.
    - Added dh-exec, libbrotli-dev, and rapidjson-dev as build dependencies.
    - The dotnet9 package now only suggests dotnet-sdk-aot-9.0.
    - Changed the dotnet-sdk-aot-9.0 binary package architectures to amd64
      and arm64 only.
  * d/dotnet-sdk-9.0.install: added dh-exec to filter out files not present in
    certain architectures and marked the file as executable.
  * d/t/control: added missing development libraries for the nativeaot-sb test
    and replaced packages provided by this source package with @.
  * d/t/regular-tests/bundled-libunwind/test.json: skipping test when on
    amd64, which no longer bundles libunwind.
  * d/p/0003-use-system-brotli-on-unix-non-portable-builds.patch: fixed
    nativeaot-sb autopkgtest by integrating upstream patch making NativeAOT
    use the system brotli library.
  * d/p/0004-use-consistent-shift-instruction.patch: fixed 'dotnet build'
    throwing System.OutOfMemoryException on stage 2 .NET 9 RC1 build.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 19 Sep 2024 15:54:25 -0300

dotnet9 (9.0.100-9.0.0~rc1-0ubuntu1) oracular; urgency=medium

  * Initial release (LP: #2079031)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 06 Sep 2024 17:57:18 +0300
