Bug 135002 - www-apache/mod_mono possible file disclosure (CVE-2006-2658)
Bug#: 135002 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: enhancement Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jaervosz@gentoo.org
Component: Vulnerabilities
URL:  http://svn.myrealbox.com/viewcvs/trunk/xsp/src/Mono.WebServer/MonoWorkerRequest.cs?rev=59868&r1=49611&r2=59868
Summary: www-apache/mod_mono possible file disclosure (CVE-2006-2658)
Keywords:  
Status Whiteboard: ~4 [masked] DerCorny
Opened: 2006-05-31 02:04 0000
Description:   Opened: 2006-05-31 02:04 0000 
A missing check in mod_mono path canonicalization allows disclosure of
arbitrary files when relative path names are used in a HTTP request. As
a result any local file, accessible to the user running Apache, can be
viewed by the attacker.

------- Comment #1 From Stefan Cornelius (RETIRED) 2006-06-13 02:48:14 0000 ------- 
ramereth please provide fixed ebuilds, thanks

------- Comment #2 From Lance Albertson 2006-06-13 19:43:28 0000 ------- 
Do you want this patch applied to all the ebuilds, or is there a current
version that has this fix? I'm in desperate need of bumping this ebuild
anyways, just hadn't gotten to it.

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-06-14 02:30:18 0000 ------- 
I guess a new revision with the patch applied should be fine.

------- Comment #4 From Thierry Carrez (RETIRED) 2006-07-29 05:52:18 0000 ------- 
Lance, are you with us ?

------- Comment #5 From Sune Kloppenborg Jeppesen 2006-09-05 06:01:03 0000 ------- 
Lance any news on this one?

------- Comment #6 From Lance Albertson 2006-09-08 07:58:25 0000 ------- 
(In reply to comment #5)
> Lance any news on this one?
> 

Sigh, I've been extremely busy with work/life lately and haven't been able to
get to this. See if someone from the dotnet group can take care of it until I
can find time. Sorry about that.

------- Comment #7 From Sune Kloppenborg Jeppesen 2006-09-08 10:19:23 0000 ------- 
Thx Lance. Back to ebuild status.

------- Comment #8 From Jakub Moc (RETIRED) 2006-09-13 00:30:33 0000 ------- 
FWIW, there are ebuilds for 1.1.16.1 in Bug 147393, some dotnet folks could
checks them out. ;)

------- Comment #9 From Sune Kloppenborg Jeppesen 2006-09-19 00:29:31 0000 ------- 
No response from herd, perhaps we should get this one masked?

------- Comment #10 From Sune Kloppenborg Jeppesen 2006-09-26 09:19:30 0000 ------- 
Security/dotnet should we mask or bump?

------- Comment #11 From Thierry Carrez (RETIRED) 2006-09-27 12:54:37 0000 ------- 
I would mask it if they don't bump it very soon

------- Comment #12 From Matthias Geerdsen 2006-09-29 04:52:03 0000 ------- 
CC'ing apache since they are listed in metadata too

someone pls patch/bump

otherwise i agree that it should get masked soon

------- Comment #13 From Michael Stewart (vericgar) (RETIRED) 2006-09-29 16:49:15 0000 ------- 
I would bump, but the depends are too heafty for me to test this and I have no
desire of putting the mono/dotnet stack on my system.

This package is not stable on any arch, I'm for package.mask.

------- Comment #14 From Matthias Geerdsen 2006-10-11 05:28:08 0000 ------- 
10 more days passed without reaction

someone with commit rights, pls mask this package refering to the security
issue in this bug

------- Comment #15 From Chris White (RETIRED) 2006-10-19 07:35:14 0000 ------- 
Commited to package.mask

------- Comment #16 From Jurek Bartuszek 2006-10-27 08:16:44 0000 ------- 
This bug does not affect any newer xsp versions. The older xsp-1.0.x ebuilds
have been removed from the tree recently and 1.1.10-r1 was bumped to -r2 which
now contains the proper patch. Therefore I'm closing this bug. Thanks!