[gentoo-announce] [ GLSA 201206-13 ] Mono: Multiple vulnerabilities - gentoo-announce

From:	Tobias Heinlein <keytoaster@g.o>
To:	gentoo-announce@g.o
Subject:	[gentoo-announce] [ GLSA 201206-13 ] Mono: Multiple vulnerabilities
Date:	Thu, 21 Jun 2012 21:37:39
Message-Id:	`4FE39263.30403@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201206-13

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                            http://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Mono: Multiple vulnerabilities

9

     Date: June 21, 2012

10

     Bugs: #277878, #342133, #345561, #346401, #351087, #372983

11

       ID: 201206-13

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities were found in Mono, the worst of which

19

allowing for the remote execution of arbitrary code.

20

21

Background

22

==========

23

24

Mono is an open source implementation of Microsoft's .NET Framework.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  dev-util/mono-debugger      < 2.8.1-r1               >= 2.8.1-r1

33

  2  dev-lang/mono              < 2.10.2-r1              >= 2.10.2-r1

34

    -------------------------------------------------------------------

35

     2 affected packages

36

37

Description

38

===========

39

40

Multiple vulnerabilities have been discovered in Mono and Mono

41

debugger. Please review the CVE identifiers referenced below for

42

details.

43

44

Impact

45

======

46

47

A remote attacker could execute arbitrary code, bypass general

48

constraints, obtain the source code for .aspx applications, obtain

49

other sensitive information, cause a Denial of Service, modify internal

50

data structures, or corrupt the internal state of the security manager.

51

52

A local attacker could entice a user into running Mono debugger in a

53

directory containing a specially crafted library file to execute

54

arbitrary code with the privileges of the user running Mono debugger.

55

56

A context-dependant attacker could bypass the authentication mechanism

57

provided by the XML Signature specification.

58

59

Workaround

60

==========

61

62

There is no known workaround at this time.

63

64

Resolution

65

==========

66

67

All Mono debugger users should upgrade to the latest version:

68

69

  # emerge --sync

70

  # emerge --ask --oneshot -v ">=dev-util/mono-debugger-2.8.1-r1"

71

72

All Mono users should upgrade to the latest version:

73

74

  # emerge --sync

75

  # emerge --ask --oneshot --verbose ">=dev-lang/mono-2.10.2-r1"

76

77

References

78

==========

79

80

[  1 ] CVE-2009-0217

81

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217

82

[  2 ] CVE-2010-3332

83

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3332

84

[  3 ] CVE-2010-3369

85

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3369

86

[  4 ] CVE-2010-4159

87

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159

88

[  5 ] CVE-2010-4225

89

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225

90

[  6 ] CVE-2010-4254

91

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4254

92

[  7 ] CVE-2011-0989

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0989

94

[  8 ] CVE-2011-0990

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0990

96

[  9 ] CVE-2011-0991

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0991

98

[ 10 ] CVE-2011-0992

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0992

100

101

Availability

102

============

103

104

This GLSA and any updates to it are available for viewing at

105

the Gentoo Security Website:

106

107

 http://security.gentoo.org/glsa/glsa-201206-13.xml

108

109

Concerns?

110

=========

111

112

Security is a primary focus of Gentoo Linux and ensuring the

113

confidentiality and security of our users' machines is of utmost

114

importance to us. Any security concerns should be addressed to

115

security@g.o or alternatively, you may file a bug at

116

https://bugs.gentoo.org.

117

118

License

119

=======

120

121

Copyright 2012 Gentoo Foundation, Inc; referenced text

122

belongs to its owner(s).

123

124

The contents of this document are licensed under the

125

Creative Commons - Attribution / Share Alike license.

126

127

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201206-13
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	http://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Mono: Multiple vulnerabilities
9	Date: June 21, 2012
10	Bugs: #277878, #342133, #345561, #346401, #351087, #372983
11	ID: 201206-13
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities were found in Mono, the worst of which
19	allowing for the remote execution of arbitrary code.
20
21	Background
22	==========
23
24	Mono is an open source implementation of Microsoft's .NET Framework.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 dev-util/mono-debugger < 2.8.1-r1 >= 2.8.1-r1
33	2 dev-lang/mono < 2.10.2-r1 >= 2.10.2-r1
34	-------------------------------------------------------------------
35	2 affected packages
36
37	Description
38	===========
39
40	Multiple vulnerabilities have been discovered in Mono and Mono
41	debugger. Please review the CVE identifiers referenced below for
42	details.
43
44	Impact
45	======
46
47	A remote attacker could execute arbitrary code, bypass general
48	constraints, obtain the source code for .aspx applications, obtain
49	other sensitive information, cause a Denial of Service, modify internal
50	data structures, or corrupt the internal state of the security manager.
51
52	A local attacker could entice a user into running Mono debugger in a
53	directory containing a specially crafted library file to execute
54	arbitrary code with the privileges of the user running Mono debugger.
55
56	A context-dependant attacker could bypass the authentication mechanism
57	provided by the XML Signature specification.
58
59	Workaround
60	==========
61
62	There is no known workaround at this time.
63
64	Resolution
65	==========
66
67	All Mono debugger users should upgrade to the latest version:
68
69	# emerge --sync
70	# emerge --ask --oneshot -v ">=dev-util/mono-debugger-2.8.1-r1"
71
72	All Mono users should upgrade to the latest version:
73
74	# emerge --sync
75	# emerge --ask --oneshot --verbose ">=dev-lang/mono-2.10.2-r1"
76
77	References
78	==========
79
80	[ 1 ] CVE-2009-0217
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217
82	[ 2 ] CVE-2010-3332
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3332
84	[ 3 ] CVE-2010-3369
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3369
86	[ 4 ] CVE-2010-4159
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159
88	[ 5 ] CVE-2010-4225
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225
90	[ 6 ] CVE-2010-4254
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4254
92	[ 7 ] CVE-2011-0989
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0989
94	[ 8 ] CVE-2011-0990
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0990
96	[ 9 ] CVE-2011-0991
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0991
98	[ 10 ] CVE-2011-0992
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0992
100
101	Availability
102	============
103
104	This GLSA and any updates to it are available for viewing at
105	the Gentoo Security Website:
106
107	http://security.gentoo.org/glsa/glsa-201206-13.xml
108
109	Concerns?
110	=========
111
112	Security is a primary focus of Gentoo Linux and ensuring the
113	confidentiality and security of our users' machines is of utmost
114	importance to us. Any security concerns should be addressed to
115	security@g.o or alternatively, you may file a bug at
116	https://bugs.gentoo.org.
117
118	License
119	=======
120
121	Copyright 2012 Gentoo Foundation, Inc; referenced text
122	belongs to its owner(s).
123
124	The contents of this document are licensed under the
125	Creative Commons - Attribution / Share Alike license.
126
127	http://creativecommons.org/licenses/by-sa/2.5