Summary: | <dev-lang/mono-2.0.1-r1 ASP.net XSS, Sys.Web Header injection (CVE-2008-3422, CVE-2008-3906) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Robert Buchholz (RETIRED) <rbu> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dotnet |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://thread.gmane.org/gmane.comp.gnome.mono.devel/28500 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 234305 | ||
Bug Blocks: |
Description
Robert Buchholz (RETIRED)
2008-08-01 08:51:00 UTC
Patches @ svn://anonsvn.mono-project.com/source mono-1-9 : 109358 mono-2-0 : 109348 trunk : 109349 There is also a header injection issue, see here: https://bugzilla.novell.com/show_bug.cgi?id=418620 Quote: Fixes for the following Mono branches have been committed: branches/mono-1-1-7 (r111116) branches/mono-1-1-18 (r111117) branches/mono-1-2-2 (r111118) branches/mono-1-2-5 (r111119) branches/mono-1-9 (r111120) Second part of the fix (implementation for 1.1) committed to the following branches: trunk (r111122) branches/mono-2-0 (r111123) branches/mono-1-1-7 (r111125) branches/mono-1-1-18 (r111126) branches/mono-1-2-2 (r111127) branches/mono-1-2-5 (r111128) branches/mono-1-9 (r111129) CVE-2008-3906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3906): CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. 2.0 stable, GLSA-ready. GLSA decision, i vote NO. confirmed that dev-lang/mono-2.0.1-r1 carries all fixes. voting NO. |