From $url: Mono ASP.NET implementation is vulnerable to the padding oracle attack, i.e. it leaks some details when invalid padding is being decrypted. However it is not possible to download the web.config file from the web server (and retrieve the keys or other data from it). The actual severity of attack depends on the web application. Version affected: * Mono 1.x and 2.x Version fixed: * GIT (under testing)
Mono 2.8.1 contains this fix and has been released upstream.
Is it ok to go stable?
I don't think mono 2.8 is ready to go stable yet :-/
Fixed packages have been stabilized via 352808 and, for ppc only, 359651. GLSA Vote: No.
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml by GLSA coordinator Tobias Heinlein (keytoaster).