135002 2006-05-31 02:04 0000 www-apache/mod_mono possible file disclosure (CVE-2006-2658) 2006-10-27 08:16:44 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://svn.myrealbox.com/viewcvs/trunk/xsp/src/Mono.WebServer/MonoWorkerRequest.cs?rev=59868&r1=49611&r2=59868 ~4 [masked] DerCorny P2 enhancement --- 147393 1 jaervosz@gentoo.org security@gentoo.org apache-bugs@gentoo.org chriswhite@gentoo.org dotnet@gentoo.org jurek@gentoo.org ramereth@gentoo.org jaervosz@gentoo.org 2006-05-31 02:04:56 0000 A missing check in mod_mono path canonicalization allows disclosure of arbitrary files when relative path names are used in a HTTP request. As a result any local file, accessible to the user running Apache, can be viewed by the attacker. dercorny@gentoo.org 2006-06-13 02:48:14 0000 ramereth please provide fixed ebuilds, thanks ramereth@gentoo.org 2006-06-13 19:43:28 0000 Do you want this patch applied to all the ebuilds, or is there a current version that has this fix? I'm in desperate need of bumping this ebuild anyways, just hadn't gotten to it. jaervosz@gentoo.org 2006-06-14 02:30:18 0000 I guess a new revision with the patch applied should be fine. koon@gentoo.org 2006-07-29 05:52:18 0000 Lance, are you with us ? jaervosz@gentoo.org 2006-09-05 06:01:03 0000 Lance any news on this one? ramereth@gentoo.org 2006-09-08 07:58:25 0000 (In reply to comment #5) > Lance any news on this one? > Sigh, I've been extremely busy with work/life lately and haven't been able to get to this. See if someone from the dotnet group can take care of it until I can find time. Sorry about that. jaervosz@gentoo.org 2006-09-08 10:19:23 0000 Thx Lance. Back to ebuild status. jakub@gentoo.org 2006-09-13 00:30:33 0000 FWIW, there are ebuilds for 1.1.16.1 in Bug 147393, some dotnet folks could checks them out. ;) jaervosz@gentoo.org 2006-09-19 00:29:31 0000 No response from herd, perhaps we should get this one masked? jaervosz@gentoo.org 2006-09-26 09:19:30 0000 Security/dotnet should we mask or bump? koon@gentoo.org 2006-09-27 12:54:37 0000 I would mask it if they don't bump it very soon vorlon@gentoo.org 2006-09-29 04:52:03 0000 CC'ing apache since they are listed in metadata too someone pls patch/bump otherwise i agree that it should get masked soon vericgar@gentoo.org 2006-09-29 16:49:15 0000 I would bump, but the depends are too heafty for me to test this and I have no desire of putting the mono/dotnet stack on my system. This package is not stable on any arch, I'm for package.mask. vorlon@gentoo.org 2006-10-11 05:28:08 0000 10 more days passed without reaction someone with commit rights, pls mask this package refering to the security issue in this bug chriswhite@gentoo.org 2006-10-19 07:35:14 0000 Commited to package.mask jurek@gentoo.org 2006-10-27 08:16:44 0000 This bug does not affect any newer xsp versions. The older xsp-1.0.x ebuilds have been removed from the tree recently and 1.1.10-r1 was bumped to -r2 which now contains the proper patch. Therefore I'm closing this bug. Thanks!