dotnet9 (9.0.105-9.0.4-0ubuntu1) plucky; urgency=medium

  * New upstream release
  * SECURITY UPDATE: denial of service
    - CVE-2025-26682: DoS - ASP.NET Core denial of service with HTTP/3

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 04 Apr 2025 12:32:57 +0300

dotnet9 (9.0.104-9.0.3-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2101029)
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-24070: EoP - Potential Security Risk in
      SignInManager.RefreshSignInAsync Method
  * debian/control:
    - moved Recommends dotnet-sdk-aot-9.0 from dotnet9 to dotnet-sdk-9.0
    - moved Suggests dotnet-runtime-dbg-9.0 from dotnet9 to dotnet-runtime-9.0
    - moved Suggests aspnetcore-runtime-dbg-9.0 from dotnet9 to aspnetcore-runtime-9.0
    - moved Suggests dotnet-sdk-dbg-9.0 from dotnet9 to dotnet-sdk-9.0
  * refreshed d/p/0005-fix-clang20-build.patch to ab style patch

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Thu, 06 Mar 2025 11:24:30 +0200

dotnet9 (9.0.103-9.0.2-0ubuntu2) plucky; urgency=medium

  * d/p/0004-fix-clang20-build.patch: Fix FTBFS with clang 20 (LP: #2099720).
  * d/eng/test-runner/Turkey: Removed unnecessary obj directory.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Sat, 22 Feb 2025 15:48:43 -0300

dotnet9 (9.0.103-9.0.2-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2097012)
  * Updated security information of last changelog with latest information from
    upstream maintainers.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 10 Feb 2025 20:56:02 +0200

dotnet9 (9.0.102-9.0.1-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2094271).
  * SECURITY UPDATE: remote code execution
    - CVE-2025-21171: Buffer overrun in Convert.TryToHexString. An attacker
      could exploit this vulnerability by sending a specially crafted request
      to the vulnerable web server.
  * SECURITY UPDATE: elevation of privilege
    - CVE-2025-21173: Insecure Temp File Usage Allows Malicious Package
      Dependency Injection on Linux. An attacker could exploit this
      vulnerability to writing a specially crafted file in the security
      context of the local system. This only affects .NET on Linux operating
      systems.
  * d/patches: Renamed patch files to uniquely identify patches among all
    dotnet* source packages.
  * d/rules: Added override_dh_auto_clean to remove .NET and Python
    binary artifacts.
  * d/copyright, d/source/lintian-overrides.dotnet9: Fixed
    superfluous-file-pattern warning for debian/eng/strenum,
    debian/eng/test-runner and debian/tests/regular-tests.
  * d/tests/build-time-tests/tests.py: Fixed crash when running for net8.0.
  * d/eng/dotnet-version.py, d/eng/versionlib/dotnet.py:
    Refactored deb version handling of irregular past releases.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Tue, 14 Jan 2025 00:10:52 +0200

dotnet9 (9.0.101-9.0.0-0ubuntu2) plucky; urgency=medium

  * No-change rebuild for icu soname change.

 -- Matthias Klose <doko@ubuntu.com>  Sun, 05 Jan 2025 20:28:20 +0100

dotnet9 (9.0.101-9.0.0-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2091009)
  * debian/rules, debian/eng/source_build_artifact_path.py: re-enable strict
    RID matching of last release.
  * debian/eng/dotnet-version.py: 
    - remove temporarily added '-rtm' to DOTNET_DEB_VERSION_SDK_ONLY due
      to higher SDK version number.
    - temporarily added '+build1' to DOTNET_DEB_VERSION_RUNTIME_ONLY to comply
      with FO127 due to same runtime version number compared to last upstream
      release.
  * disable 'host-probes-rid-assets-legacy' test: this test fails and fixing
    would require patching the legacy RID graph which we decided to no longer
    maintain.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Wed, 04 Dec 2024 16:03:57 +0200

dotnet9 (9.0.100-9.0.0-0ubuntu1) plucky; urgency=medium

  * New upstream release (LP: #2087880)
  * SECURITY UPDATE: privilege escalation
    - CVE-2024-43498: an authenticated attacker could create a malicious
      extension and then wait for an authenticated user to create a new Visual
      Studio project that uses that extension. The result is that the attacker
      could gain the privileges of the user.
  * SECURITY UPDATE: denial of service
    - CVE-2024-43499: a remote unauthenticated attacker could exploit this
      vulnerability by sending specially crafted requests to a .NET vulnerable
      webapp or loading a specially crafted file into a vulnerable desktop app.
  * debian/rules, debian/eng/source_build_artifact_path.py: temporarily disable
    strict RID matching to solve build issue on plucky due to binary copying
    during archive opening.
  * debian/eng/dotnet-version.py: temporarily add '-rtm' to
    DOTNET_DEB_VERSION_RUNTIME_ONLY and DOTNET_DEB_VERSION_SDK_ONLY to fix
    version ordering issue with final release.

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 08 Nov 2024 18:16:21 +0200

dotnet9 (9.0.100-9.0.0~rc2-0ubuntu1) oracular; urgency=medium

   * New upstream release (LP: #2083883)
   * dropped d/p/0003-use-system-brotli-on-unix-non-portable-builds.patch and
     d/p/0004-use-consistent-shift-instruction.patch:
     Included with new upstream release.
   * d/rules: Fixed missing definition of substitution variable ${libicu:Depends}
     (used to be defined in d/substvars file, but buildlog indicated that this is
     not used by dh_gencontrol).
   * d/t/build-time-tests/test.py: Fixed falsely reported test failure due to new
                                   'dotnet run' CLI design.
   * d/control:
     - Moved dotnet-sdk-aot-9.0 to Recommends from Suggests
       for dotnet9 virtual package.
     - Added dotnet-sdk-dbg-9.0, dotnet-runtime-dbg-9.0,
       aspnetcore-runtime-dbg-9.0 to Suggests for dotnet9 virtual package.
     - Fixed descriptions with invalid control statements
       (lines containing a space, a full stop and some more characters)
       to comply with Section 5.6.13 in the Debian Policy Manual.
   * d/copyright:
     - Contained full Apache-2.0 and LGPL-2.1 license text; referred to
       /usr/share/common-licenses instead.
     - Removed references to files no longer present in new upstream release
       sources.
   * d/aspnetcore-runtime-9.0.docs, d/dotnet-sdk-9.0.docs: Included
     src/razor/NOTICE.txt in package to comply with Apache-2.0
     paragraph 4 section (d).
   * d/source/lintian-overrides:
     - Adjust source-is-missing and source-contains-prebuilt-javascript-object
       overrides due to file changes caused by the new upstream release.
     - Add hyphen-in-upstream-part-of-debian-changelog-version override:
       Canonical Specification FO127 mandates a hyphen in the upstream part of
       the Debian changelog version.
   * d/aspnetcore-targeting-pack-9.0.lintian-overrides,
     d/dotnet-sdk-9.0.lintian-overrides,
     d/dotnet-sdk-dbg-9.0.lintian-overrides,
     d/dotnet-targeting-pack-9.0.lintian-overrides:
     Ignore repeated-path-segment warnings, as these repetitions are intended.
   * d/aspnetcore-targeting-pack-9.0.lintian-overrides:
     ignore package-has-long-file-name warnings

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Mon, 07 Oct 2024 13:42:57 +0000

dotnet9 (9.0.100-9.0.0~rc1-0ubuntu2) oracular; urgency=medium

  * d/rules: tweaks for s390x and ppc64el builds.
    - Explicit usage of the --with-sdk build argument when bootstrapping.
    - Added the --use-mono-runtime flag based on the DOTNET_USE_MONO_RUNTIME
      variable.
    - Conditional dh_gencontrol override for dotnet-sdk-aot-9.0 binary package
      based on the DOTNET_BUILD_AOT_BINARY_PACKAGE variable.
    - Added the --with-system-libs build argument based on the several
      DOTNET_USE_SYSTEM_* library specifier variables.
  * d/eng/dotnet-pkg-info.mk: defined the DOTNET_BUILD_AOT_BINARY_PACKAGE,
    DOTNET_USE_MONO_RUNTIME, and DOTNET_USE_SYSTEM_* variables.
  * d/control: tweaks for s390x and ppc64el builds.
    - Added dh-exec, libbrotli-dev, and rapidjson-dev as build dependencies.
    - The dotnet9 package now only suggests dotnet-sdk-aot-9.0.
    - Changed the dotnet-sdk-aot-9.0 binary package architectures to amd64
      and arm64 only.
  * d/dotnet-sdk-9.0.install: added dh-exec to filter out files not present in
    certain architectures and marked the file as executable.
  * d/t/control: added missing development libraries for the nativeaot-sb test
    and replaced packages provided by this source package with @.
  * d/t/regular-tests/bundled-libunwind/test.json: skipping test when on
    amd64, which no longer bundles libunwind.
  * d/p/0003-use-system-brotli-on-unix-non-portable-builds.patch: fixed
    nativeaot-sb autopkgtest by integrating upstream patch making NativeAOT
    use the system brotli library.
  * d/p/0004-use-consistent-shift-instruction.patch: fixed 'dotnet build'
    throwing System.OutOfMemoryException on stage 2 .NET 9 RC1 build.

 -- Mateus Rodrigues de Morais <mateus.morais@canonical.com>  Thu, 19 Sep 2024 15:54:25 -0300

dotnet9 (9.0.100-9.0.0~rc1-0ubuntu1) oracular; urgency=medium

  * Initial release (LP: #2079031)

 -- Dominik Viererbe <dominik.viererbe@canonical.com>  Fri, 06 Sep 2024 17:57:18 +0300
