Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in mono
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in mono
ID: MDVSA-2009:322
Distribution: Mandriva
Plattformen: Mandriva 2008.0
Datum: Mo, 7. Dezember 2009, 15:15
Referenzen: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
Applikationen: Mono

Originalnachricht

This is a multi-part message in MIME format...

------------=_1260195331-24326-1767


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_______________________________________________________________________

Mandriva Linux Security Advisory MDVSA-2009:322
http://www.mandriva.com/security/
_______________________________________________________________________

Package : mono
Date : December 7, 2009
Affected: 2008.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in mono:

IOActive Inc. found a buffer overflow in Mono.Math.BigInteger class
in Mono 1.2.5.1 and previous versions, which allows arbitrary code
execution by context-dependent attackers (CVE-2007-5197).

Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net
class libraries in Mono 2.0 and earlier allow remote attackers to
inject arbitrary web script or HTML via crafted attributes related to
(1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs
(RenderAttributes), (3) HtmlInputButton (RenderAttributes),
(4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
(RenderChildren) (CVE-2008-3422).

CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string
(CVE-2008-3906).

The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
(CVE-2009-0217).

Packages for 2008.0 are being provided due to extended support for
Corporate products.

The updated packages have been patched to fix these issues.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5197
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
_______________________________________________________________________

Updated Packages:

Mandriva Linux 2008.0:
e5c940429fe7037f4f221b9ff9b620a8 2008.0/i586/jay-1.2.5-2.1mdv2008.0.i586.rpm
83bfd0d6029b4516368760355f9a3fae
2008.0/i586/libmono0-1.2.5-2.1mdv2008.0.i586.rpm
c697f55883457b7c5dda12e8dedc4c23
2008.0/i586/libmono-devel-1.2.5-2.1mdv2008.0.i586.rpm
cbd608614df82586614b206f9709de9d 2008.0/i586/mono-1.2.5-2.1mdv2008.0.i586.rpm
8b4ef19f16d5679883d9c91417082432
2008.0/i586/mono-bytefx-data-mysql-1.2.5-2.1mdv2008.0.i586.rpm
43b5b8085bbdebae15c5bb661f24d571
2008.0/i586/mono-data-1.2.5-2.1mdv2008.0.i586.rpm
6589c6caed4e5bd51c1c57e2a83fa44e
2008.0/i586/mono-data-firebird-1.2.5-2.1mdv2008.0.i586.rpm
61d214672724f684167ca8925f91eb14
2008.0/i586/mono-data-oracle-1.2.5-2.1mdv2008.0.i586.rpm
d519b2cc63be3a76a4d93c058ef86d7e
2008.0/i586/mono-data-postgresql-1.2.5-2.1mdv2008.0.i586.rpm
805e1400678166f533b68ad0a71463b7
2008.0/i586/mono-data-sqlite-1.2.5-2.1mdv2008.0.i586.rpm
b63a15e023653794d41995d3428b6def
2008.0/i586/mono-data-sybase-1.2.5-2.1mdv2008.0.i586.rpm
4a6f56fd50bcab6a8f1cbecd461b2096
2008.0/i586/mono-doc-1.2.5-2.1mdv2008.0.i586.rpm
db36927b07892c1c3e9241685ed1eb72
2008.0/i586/mono-extras-1.2.5-2.1mdv2008.0.i586.rpm
6d97a27aea0d59926f202830d6be327b
2008.0/i586/mono-ibm-data-db2-1.2.5-2.1mdv2008.0.i586.rpm
c52e7a85ad7540b6972d7b1f6eb44f66
2008.0/i586/mono-jscript-1.2.5-2.1mdv2008.0.i586.rpm
5e3266cd728afc4e0e093677bf0d6f06
2008.0/i586/mono-locale-extras-1.2.5-2.1mdv2008.0.i586.rpm
5b535b4ad9940b60249db9f0b3248d30
2008.0/i586/mono-nunit-1.2.5-2.1mdv2008.0.i586.rpm
e170547fede941d174523b3f7a56a77c
2008.0/i586/mono-web-1.2.5-2.1mdv2008.0.i586.rpm
5966cfb191906c938c493e04d05ef6eb
2008.0/i586/mono-winforms-1.2.5-2.1mdv2008.0.i586.rpm
00960df0d4057913baeca6ee30d262f7 2008.0/SRPMS/mono-1.2.5-2.1mdv2008.0.src.rpm

Mandriva Linux 2008.0/X86_64:
7bdcf980d29e32a1c3d3108ad07a05b5
2008.0/x86_64/jay-1.2.5-2.1mdv2008.0.x86_64.rpm
dd6ba52cdb6aa3a8d9ee384622f0ab7d
2008.0/x86_64/lib64mono0-1.2.5-2.1mdv2008.0.x86_64.rpm
2d166512a5a4fecb1512142cc3a1161c
2008.0/x86_64/lib64mono-devel-1.2.5-2.1mdv2008.0.x86_64.rpm
a5082a80792cb6d7b50edd0313abebb4
2008.0/x86_64/mono-1.2.5-2.1mdv2008.0.x86_64.rpm
6199637cffce64193730e1a6fa6a97e7
2008.0/x86_64/mono-bytefx-data-mysql-1.2.5-2.1mdv2008.0.x86_64.rpm
bc9665adbb048a4c2bc1f094b46ce7e0
2008.0/x86_64/mono-data-1.2.5-2.1mdv2008.0.x86_64.rpm
26f805cadf4af5527f65802b17649288
2008.0/x86_64/mono-data-firebird-1.2.5-2.1mdv2008.0.x86_64.rpm
a4efe31e57602a183650084f00eef262
2008.0/x86_64/mono-data-oracle-1.2.5-2.1mdv2008.0.x86_64.rpm
864309bb2442e9bd916e23297e092e5b
2008.0/x86_64/mono-data-postgresql-1.2.5-2.1mdv2008.0.x86_64.rpm
55f04a44471401385ce1dc9228c6655a
2008.0/x86_64/mono-data-sqlite-1.2.5-2.1mdv2008.0.x86_64.rpm
566e4409cfdd23f02f39b01a93eb8bc9
2008.0/x86_64/mono-data-sybase-1.2.5-2.1mdv2008.0.x86_64.rpm
d092d711a298a5578c5e9f285cede2df
2008.0/x86_64/mono-doc-1.2.5-2.1mdv2008.0.x86_64.rpm
7e61c5cc2a4f08e5d0654072279e6061
2008.0/x86_64/mono-extras-1.2.5-2.1mdv2008.0.x86_64.rpm
ea7a03fd1821ee8ab48887ba5a14d555
2008.0/x86_64/mono-ibm-data-db2-1.2.5-2.1mdv2008.0.x86_64.rpm
ca24a0f2765bdc76077659549029f2ef
2008.0/x86_64/mono-jscript-1.2.5-2.1mdv2008.0.x86_64.rpm
e19f5600eba7bc7e12404c39bb9e9203
2008.0/x86_64/mono-locale-extras-1.2.5-2.1mdv2008.0.x86_64.rpm
3f63d60a6b2c1a3a2a9a524496643a6d
2008.0/x86_64/mono-nunit-1.2.5-2.1mdv2008.0.x86_64.rpm
d24d7c55ba6d5dd845b20d2d526dfa7a
2008.0/x86_64/mono-web-1.2.5-2.1mdv2008.0.x86_64.rpm
08846051c6dc2411f9c6535d2ad9e7eb
2008.0/x86_64/mono-winforms-1.2.5-2.1mdv2008.0.x86_64.rpm
00960df0d4057913baeca6ee30d262f7 2008.0/SRPMS/mono-1.2.5-2.1mdv2008.0.src.rpm
_______________________________________________________________________

To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com
_______________________________________________________________________

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLHOIgmqjQ0CJFipgRApJJAKClsmLYTzWKSVNIs2mFPfXgSeoIAgCfaAj7
1KnMWylh5i2VskZO976EvIs=
=WbOA
-----END PGP SIGNATURE-----


------------=_1260195331-24326-1767
Content-Type: text/plain; name="message-footer.txt"
Content-Disposition: inline; filename="message-footer.txt"
Content-Transfer-Encoding: 8bit

To unsubscribe, send a email to sympa@mandrivalinux.org
with this subject : unsubscribe security-announce
_______________________________________________________
Want to buy your Pack or Services from Mandriva?
Go to http://www.mandrivastore.com
Join the Club : http://www.mandrivaclub.com
_______________________________________________________

------------=_1260195331-24326-1767--
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung