An unloading bug can, under some circumstances, let ASP.NET applications misbehave and return the source code (.aspx) of the application or any other file in the web application directory. A vulnerability has been reported in Mono, which can be exploited by malicious people to disclose potentially sensitive information. The vulnerability is caused due to an unspecified error within the "mod_mono" module and can be exploited to disclose the source code of ASPX scripts. The vulnerability is reported in versions prior to 2.8.2. http://secunia.com/advisories/42842/
+*mono-2.8.2 (25 Jan 2011) + + 25 Jan 2011; Pacho Ramos <pacho@gentoo.org> -mono-2.8.1-r1.ebuild, + +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch: + Version bump, remove old testing and 9999 version since it's not really + maintained downstream. + But I am still unable to bump moonlight to a working version with mono-2.8 :-S (bug #340375)
Okay, our stabilization target is =dev-lang/mono-2.8.2 Bug #340375 is probably going to block this, but there might be more, so CC-ing arches now.
Can we wait a bit more for getting it stabilized or is this a too major security problem? I will probably open a bug with a list of dotnet related things to stabilize (including mono-2.8.2 and others), but I would like to wait a bit also for bug 346135 (and will probably hardmask moonlight until they release a fixed tarball for 2.99.x)
This and other security problems will be solved with bug 351087
Fixed packages have been stabilized via 352808 and, for ppc only, 359651. GLSA Vote: yes.
CVE-2010-4225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225): Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x before 2.8.2 allows remote attackers to obtain the source code for .aspx (ASP.NET) applications via unknown vectors related to an "unloading bug."
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml by GLSA coordinator Tobias Heinlein (keytoaster).