Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 342133 (CVE-2010-3332) - dev-lang/mono: Padding Oracle Information Leak (CVE-2010-3332)
Summary: dev-lang/mono: Padding Oracle Information Leak (CVE-2010-3332)
Status: RESOLVED FIXED
Alias: CVE-2010-3332
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.mono-project.com/Vulnerabi...
Whiteboard: B4 [glsa]
Keywords:
Depends on: mono-2.8 352808 359651
Blocks:
  Show dependency tree
 
Reported: 2010-10-22 07:17 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-21 20:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-10-22 07:17:11 UTC
From $url:

Mono ASP.NET implementation is vulnerable to the padding oracle attack, i.e. it leaks some details when invalid padding is being decrypted. However it is not possible to download the web.config  file from the web server (and retrieve the keys or other data from it). The actual severity of attack depends on the web application.

Version affected:

    * Mono 1.x and 2.x 

Version fixed:

    * GIT (under testing)
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:26:16 UTC
Mono 2.8.1 contains this fix and has been released upstream.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-29 22:22:25 UTC
Is it ok to go stable?
Comment 3 Pacho Ramos gentoo-dev 2010-11-29 22:34:03 UTC
I don't think mono 2.8 is ready to go stable yet :-/
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:01:37 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: No.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:01:06 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:31 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).