Releases.json for .NET 8.0 Missing Required Package Versions

[ushak8089]

URL(s)

Hello,

I noticed that the releases.json file for .NET 8.0 hosted at https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/releases.json does not include the required package versions (8.0.108-8.0.8-0ubuntu1~24.04.1) for the following packages:

dotnet-host-8.0
aspnetcore-runtime-8.0
dotnet-apphost-pack-8.0
aspnetcore-targeting-pack-8.0
dotnet-runtime-8.0
dotnet-hostfxr-8.0
dotnet-targeting-pack-8.0

Description

Hello,

I noticed that the releases.json file for .NET 8.0 hosted at https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/releases.json does not include the required package versions (8.0.108-8.0.8-0ubuntu1~24.04.1) for the following packages:

dotnet-host-8.0
aspnetcore-runtime-8.0
dotnet-apphost-pack-8.0
aspnetcore-targeting-pack-8.0
dotnet-runtime-8.0
dotnet-hostfxr-8.0
dotnet-targeting-pack-8.0

This discrepancy is causing issues with automated workflows and dependency checks that rely on this file for versioning information.

Could you please confirm if there’s an issue with the metadata update process or provide clarification on why the required versions are missing?

[ushak8089]

@richlander

[mairaw]

@rbhanda can you check this?

[rbhanda]

Hello,
Can I get more information on which packages are missing? Are the available in https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/9.0/releases.json?

[ushak8089]

@rbhanda

I am using .NET 8.0 for my Ubuntu 24 VM, and I’ve been referencing the release-metadata for version updates.

I am attempting to fix some vulnerabilities, and the report suggests upgrading the following packages from version 8.0.12-0ubuntu124.04.1 to 8.0.108-8.0.8-0ubuntu124.04.1:

dotnet-host-8.0
aspnetcore-runtime-8.0
dotnet-apphost-pack-8.0
aspnetcore-targeting-pack-8.0
dotnet-runtime-8.0
dotnet-hostfxr-8.0
dotnet-targeting-pack-8.0
However, I’ve been unable to find the required 8.0.108 version for these packages, as the official download page for .NET 8.0 (https://dotnet.microsoft.com/en-us/download/dotnet/8.0) does not list it.

I would appreciate any guidance or updated download links for these packages so I can proceed with addressing the vulnerabilities.

Note:- Vulnerability report suggesting (Refer to Ubuntu security advisory USN-6959-1 (https://ubuntu.com/security/notices/USN-6959-1) for updates and patch information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
USN-6959-1: Ubuntu Linux (https://ubuntu.com/security/notices/USN-6959-1))

CVE-2024-38167

[ushak8089]

@rbhanda

I am using .NET 8.0 for my Ubuntu 24 VM, and I’ve been referencing the release-metadata for version updates.

I am attempting to fix some vulnerabilities, and the report suggests upgrading the following packages from version 8.0.12-0ubuntu124.04.1 to 8.0.108-8.0.8-0ubuntu124.04.1:

dotnet-host-8.0
aspnetcore-runtime-8.0
dotnet-apphost-pack-8.0
aspnetcore-targeting-pack-8.0
dotnet-runtime-8.0
dotnet-hostfxr-8.0
dotnet-targeting-pack-8.0
However, I’ve been unable to find the required 8.0.108 version for these packages, as the official download page for .NET 8.0 (https://dotnet.microsoft.com/en-us/download/dotnet/8.0) does not list it.

I would appreciate any guidance or updated download links for these packages so I can proceed with addressing the vulnerabilities.

Note:- Vulnerability report suggesting (Refer to Ubuntu security advisory USN-6959-1 (https://ubuntu.com/security/notices/USN-6959-1) for updates and patch information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
USN-6959-1: Ubuntu Linux (https://ubuntu.com/security/notices/USN-6959-1))

[rbhanda]

@leecow do you know about these files

`I am attempting to fix some vulnerabilities, and the report suggests upgrading the following packages from version 8.0.12-0ubuntu124.04.1 to 8.0.108-8.0.8-0ubuntu124.04.1:

dotnet-host-8.0
aspnetcore-runtime-8.0
dotnet-apphost-pack-8.0
aspnetcore-targeting-pack-8.0
dotnet-runtime-8.0
dotnet-hostfxr-8.0
dotnet-targeting-pack-8.0 `

[leecow]

@ushak8089 - for 24.04, it's recommended to use the .NET packages provided by Canonical, rather than the Microsoft provided packages (details here). An easy way to confirm you are using the Canonical packages is to run dotnet --info and check the install directory. When installing the Canonical packages, the directory will be /usr/lib/dotnet. For example:

.NET SDKs installed:
  8.0.112 [/usr/lib/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.12 [/usr/lib/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.12 [/usr/lib/dotnet/shared/Microsoft.NETCore.App]

.NET 8.0.12 is available now from Canonical so simply running apt install dotnet-sdk-8.0 will update your VM.

[ushak8089]

@leecow Than you for quick response!
We are currently automated .NET installations for Ubuntu 22.04 and Ubuntu 24.04 VMs. During this process, our scripts download .NET SDK and runtime packages directly from:
https://dotnetcli.blob.core.windows.net/dotnet/release-metadata/8.0/releases.json

However, this approach raises potential security vulnerabilities for ubuntu 24.04 as we are directly fetching packages from Microsoft’s blob storage.

Could you provide a direct, secure link to Canonical-provided .NET packages that we can use instead, ensuring compliance with Ubuntu's repositories? This will help us align with Canonical's package management and address any vulnerability concerns in our automated workflows.

Thank you for your assistance!

[leecow]

.NET 8 updates for Noble are available on Canonical's "noble-updates" feed under devel. See the following:

• https://packages.ubuntu.com/en/noble-updates/devel/
• https://launchpad.net/ubuntu/noble/+package/dotnet8

[ushak8089]

@leecow

Thank you for sharing the links to Canonical's "noble-updates" feed and Launchpad for .NET 8 packages. However, I noticed that the required 8.0.108 version is not available in the repository. This version is crucial for resolving the reported vulnerabilities in our environment.

Your assistance in resolving this issue would be greatly appreciated.

[leecow]

Based on my check before my first reply this evening, the repo has 8.0.112 available. This is supported by the information availble at https://launchpad.net/ubuntu/noble/+package/dotnet8.

[leecow]

I just noticed you also mention 22.04. Confirmed that 8.0.12 is also available in the Jammy update feed.

root@ac6ab1aa0b3e:/# cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.5 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.5 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

root@ac6ab1aa0b3e:/# apt search dotnet-sdk-8.0
Sorting... Done
Full Text Search... Done
dotnet-sdk-8.0/jammy-updates,jammy-security 8.0.112-0ubuntu1~22.04.1 amd64
  .NET 8.0 Software Development Kit

dotnet-sdk-8.0-source-built-artifacts/jammy-updates,jammy-security 8.0.112-0ubuntu1~22.04.1 amd64
  Internal package for building the .NET 8.0 Software Development Kit

[ushak8089]

@leecow

We’re encountering an issue with .NET packages on Ubuntu 24. While the correct versions version here:

azure-arm.build_vhd: Get:2 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-host-8.0 amd64 8.0.12-0ubuntu124.04.1 [187 kB]
azure-arm.build_vhd: Get:3 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-hostfxr-8.0 amd64 8.0.12-0ubuntu124.04.1 [144 kB]
azure-arm.build_vhd: Get:4 http://azure.archive.ubuntu.com/ubuntu noble/main amd64 liblttng-ust-common1t64 amd64 2.13.7-1.1ubuntu2 [27.5 kB]
azure-arm.build_vhd: Get:5 http://azure.archive.ubuntu.com/ubuntu noble/main amd64 liblttng-ust-ctl5t64 amd64 2.13.7-1.1ubuntu2 [74.9 kB]
azure-arm.build_vhd: Get:6 http://azure.archive.ubuntu.com/ubuntu noble/main amd64 liblttng-ust1t64 amd64 2.13.7-1.1ubuntu2 [185 kB]
azure-arm.build_vhd: Get:7 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-runtime-8.0 amd64 8.0.12-0ubuntu124.04.1 [23.9 MB]
azure-arm.build_vhd: Get:8 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 aspnetcore-runtime-8.0 amd64 8.0.12-0ubuntu124.04.1 [8366 kB]
azure-arm.build_vhd: Get:9 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 aspnetcore-targeting-pack-8.0 amd64 8.0.12-0ubuntu124.04.1 [1919 kB]
azure-arm.build_vhd: Get:10 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-apphost-pack-8.0 amd64 8.0.12-0ubuntu124.04.1 [3886 kB]
azure-arm.build_vhd: Get:11 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-targeting-pack-8.0 amd64 8.0.12-0ubuntu124.04.1 [2953 kB]
azure-arm.build_vhd: Get:12 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-templates-8.0 amd64 8.0.112-0ubuntu124.04.1 [2196 kB]
azure-arm.build_vhd: Get:13 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 netstandard-targeting-pack-2.1-8.0 amd64 8.0.112-0ubuntu124.04.1 [1392 kB]
azure-arm.build_vhd: Get:14 http://azure.archive.ubuntu.com/ubuntu noble-updates/main amd64 dotnet-sdk-8.0 amd64 8.0.112-0ubuntu124.04.1 [90.8 MB]

It is looking for downgrade it seems (Refer to Ubuntu security advisory USN-6959-1 (https://ubuntu.com/security/notices/USN-6959-1) for updates and patch information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
USN-6959-1: Ubuntu Linux (https://ubuntu.com/security/notices/USN-6959-1))

Package Installed Version Required Version
dotnet-host-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-apphost-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1#

Note:- this issue is not present on Ubuntu 22, where the installation works without triggering vulnerabilities.

Could you help us understand:

Why the advisory suggests downgrading to older versions, even though newer versions are installed?
Whether there’s a fix or patch specifically for Ubuntu 24 to address the vulnerabilities while keeping the latest versions?
Is there any issue happening with ubuntu 24?

[leecow]

@dviererbe - could you have a look at the questions above? ^^^

[ushak8089]

@mairaw @rbhanda @leecow could you please help me on the above ?

[leecow]

If you're encountering an issue, it's with the Canonical feed, and not something we can resolve. I'm chatting with Canonical today and will ask for them to follow up with this issue.

[ushak8089]

Thank you very much @leecow

[dviererbe]

Thanks Lee for tagging me :)

@ushak8089 Hello, the advisory USN-6959-1 you are referring to is from 13 August 2024. There are newer advisories – the latest advisory for .NET 8 is USN-7210-1, which recommends upgrading to the versions you have already installed.

Ubuntu 24.10

    aspnetcore-runtime-8.0 - 8.0.12-0ubuntu1~24.10.1
    aspnetcore-runtime-9.0 - 9.0.1-0ubuntu1~24.10.1
    dotnet-host-8.0 - 8.0.12-0ubuntu1~24.10.1
    dotnet-host-9.0 - 9.0.1-0ubuntu1~24.10.1
    dotnet-hostfxr-8.0 - 8.0.12-0ubuntu1~24.10.1
    dotnet-hostfxr-9.0 - 9.0.1-0ubuntu1~24.10.1
    dotnet-runtime-8.0 - 8.0.12-0ubuntu1~24.10.1
    dotnet-runtime-9.0 - 9.0.1-0ubuntu1~24.10.1
    dotnet-sdk-8.0 - 8.0.112-0ubuntu1~24.10.1
    dotnet-sdk-9.0 - 9.0.102-0ubuntu1~24.10.1
    dotnet8 - 8.0.112-8.0.12-0ubuntu1~24.10.1
    dotnet9 - 9.0.102-9.0.1-0ubuntu1~24.10.1

Ubuntu 24.04

    aspnetcore-runtime-8.0 - 8.0.12-0ubuntu1~24.04.1
    dotnet-host-8.0 - 8.0.12-0ubuntu1~24.04.1
    dotnet-hostfxr-8.0 - 8.0.12-0ubuntu1~24.04.1
    dotnet-runtime-8.0 - 8.0.12-0ubuntu1~24.04.1
    dotnet-sdk-8.0 - 8.0.112-0ubuntu1~24.04.1
    dotnet8 - 8.0.112-8.0.12-0ubuntu1~24.04.1

Ubuntu 22.04

    aspnetcore-runtime-8.0 - 8.0.12-0ubuntu1~22.04.1
    dotnet-host-8.0 - 8.0.12-0ubuntu1~22.04.1
    dotnet-hostfxr-8.0 - 8.0.12-0ubuntu1~22.04.1
    dotnet-runtime-8.0 - 8.0.12-0ubuntu1~22.04.1
    dotnet-sdk-8.0 - 8.0.112-0ubuntu1~22.04.1
    dotnet8 - 8.0.112-8.0.12-0ubuntu1~22.04.1

question: Which tool are you using, that recommends you to downgrade? If this is a Canonical provided tool I would like to investigate what went wrong.

---

note: I also see that your tool displays the source package version as "Required Version", but displays the binary package version as "Installed Version":

Package Installed Version Required Version
dotnet-host-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-apphost-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1#

It could also be possible that your tool assumes that the version identifiers for binary and source packages are the same, which is not the case for Ubuntu .NET packages.

Background:
For binary packages that only contain runtime components (e.g. dotnet-runtime-8.0) we only reference the runtime version (e.g. 8.0.12-0ubuntu1~24.04.1) and binary packages that only contain SDK components we only reference the SDK version (e.g. 8.0.112-0ubuntu1~24.04.1), but the source package references the sdk and runtime version (e.g. 8.0.112-8.0.12-0ubuntu1~24.04.1) (see Spec FO127 for further details).

Therefore it could be that your tool thinks that version 8.0.108-8.0.8-0ubuntu1~24.04.1 (of an older source package) is higher than version 8.0.12-0ubuntu1~24.04.1 (of the binary package) due to how the dpkg sorting algorithm works (see deb-version(7)).

Let me know if this was helpful :)

[ushak8089]

Thank you very much for your response @dviererbe @leecow
We are using the Qualys report scanner. The same .NET version is installed on Ubuntu 22.04, but we do not see any vulnerabilities reported there. However, the vulnerability is flagged only on Ubuntu 24.04. Could you help us understand why this discrepancy exists?

Also, I am reviewing the .NET 8.0.12 release notes here, and it looks like 8.0.12 was released on January 14th. I don’t see the vulnerability mentioned in USN-6959-1 CVE-2024-38167 being patched in this release. Could this be the reason the vulnerability is still detected on Ubuntu 24.04 and why a downgrade is recommended?

[dviererbe]

However, the vulnerability is flagged only on Ubuntu 24.04. Could you help us understand why this discrepancy exists?

Because this scanner looks to be proprietary I can only guess. I suspect a combination of the two outlined issues above:

1. Qualys advisory database is not up-to-date with our latest advisories.
2. Qualys comparison algorithm has a bug (assumes source package and binary package version are the same). It looks to me like Qualys report scanner thinks that it recommends to upgrade although it effectively recommends to downgrade.

todo: This behavior should be reported to Qualy, because only they can fix it. If you want, I can contact them. If you want to contact them, please keep me in the loop as I want to prevent this from happening to other Ubuntu users.

[ushak8089]

Yes please @dviererbe please contact them . I really appreciate. Thank you!

[dviererbe]

Also, I am reviewing the .NET 8.0.12 release notes here, and it looks like 8.0.12 was released on January 14th. I don’t see the vulnerability mentioned in USN-6959-1 CVE-2024-38167 being patched in this release. Could this be the reason the vulnerability is still detected on Ubuntu 24.04 and why a downgrade is recommended?

CVE-2024-38167 was patched with 8.0.108-8.0.8-0ubuntu1~24.04.1 Therefore, CVE-2024-38167 is also patched for dotnet8 8.0.112-8.0.12-0ubuntu1~24.04.1.

[ushak8089]

@dviererbe Thank you for confirming!

[ushak8089]

@dviere could you please keep me posted about the Qualy team updates.

[dviererbe]

@ushak8089 FYI: I have opened a support case with Qualy. I will comment here when I get any updates.

[ushak8089]

@dviererbe sounds good! Thank you very much.

[dviererbe]

@ushak8089 the Qualys support asked me share further information with them:

[...] could you please help us with the Qualys report through which it gets highlighted? We need to check every possible artifact to deal with this situation.

There should be some Qualys user who reports it to you, due to which you are considering it as a false positive scenario, where the CVEs are flagging and providing you the remediation/fix to work on further.

Please help us with the Qualys Report or Qualys Result with the mentioned CVEs/Vulnerability details, and if possible, please share asset details, too.

question: Can you write me a response to the above noted inquiries by the Qualys Support at [email protected]?

suggestion: If you want, I can put you in CC of the Qualys support emails, so you are in the loop :)

[ushak8089]

@ushak8089 the Qualys support asked me share further information with them:

[...] could you please help us with the Qualys report through which it gets highlighted? We need to check every possible artifact to deal with this situation.
There should be some Qualys user who reports it to you, due to which you are considering it as a false positive scenario, where the CVEs are flagging and providing you the remediation/fix to work on further.
Please help us with the Qualys Report or Qualys Result with the mentioned CVEs/Vulnerability details, and if possible, please share asset details, too.

question: Can you write me a response to the above noted inquiries by the Qualys Support at [email protected]?

suggestion: If you want, I can put you in CC of the Qualys support emails, so you are in the loop :)

Thank you for the response @dvierebe

As requested, please find the details of the Qualys report for CVE-2024-38167:

Vulnerability Details
CVE ID: CVE-2024-38167
Severity: 3
Vulnerability Status: Active
Title: Ubuntu Security Notification for .NET Vulnerability (USN-6959-1)
First Detected: 01/18/2025
Last Detected: 01/29/2025 08:10 AM
QID: 200627
Operating System: Ubuntu Linux 24.04.1
Tracking Method: QAGENT
Vendor Reference: USN-6959-1
CVSS Base Score: 5.4 (AV:A/AC:M/Au:M/C:N/I:C/A:P)
CVSS Temporal Score: 4.0 (E:U/RL:OF/RC:C)
Threat Description
Ubuntu has released a security update for .NET to fix the vulnerabilities.
Qualys detection utilizes the system's package manager (dpkg) to enumerate installed packages and map them with vendor advisories to identify vulnerable versions.

Impact:
Successful exploitation of this vulnerability could lead to a security breach, impacting integrity, availability, and confidentiality.

Detected Results:

Package Installed Version Required Version
dotnet-host-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-apphost-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
aspnetcore-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-runtime-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-hostfxr-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1
dotnet-targeting-pack-8.0 8.0.12-0ubuntu124.04.1 8.0.108-8.0.8-0ubuntu124.04.1#

Additional Details
Ticket Status: Open
OS CPE: cpe:/o:canonical:ubuntu_linux:24.04.1::
Category: OS
QDS: 30
ARS: 45
Please review the details and confirm if any further action is needed. Let me know if additional clarification is required.

[ushak8089]

@dviererbe please let me know if you need any additional information. And also please cc me as well.

Thank you!

[dviererbe]

@ushak8089 Sorry, I do not know your E-Mail address. Could you give me an E-Mail address I can share with Qualys support and use to CC you?

[ushak8089]

@ushak8089 Sorry, I do not know your E-Mail address. Could you give me an E-Mail address I can share with Qualys support and use to CC you?

@dviererbe Sorry i forgot to mention, My email ID is [email protected]