Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 342133 (CVE-2010-3332)

Summary: dev-lang/mono: Padding Oracle Information Leak (CVE-2010-3332)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: dotnet
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.mono-project.com/Vulnerabilities#ASP.NET_Padding_Oracle
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 340045, 352808, 359651    
Bug Blocks:    

Description Tim Sammut (RETIRED) gentoo-dev 2010-10-22 07:17:11 UTC
From $url:

Mono ASP.NET implementation is vulnerable to the padding oracle attack, i.e. it leaks some details when invalid padding is being decrypted. However it is not possible to download the web.config  file from the web server (and retrieve the keys or other data from it). The actual severity of attack depends on the web application.

Version affected:

    * Mono 1.x and 2.x 

Version fixed:

    * GIT (under testing)
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2010-11-22 04:26:16 UTC
Mono 2.8.1 contains this fix and has been released upstream.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-29 22:22:25 UTC
Is it ok to go stable?
Comment 3 Pacho Ramos gentoo-dev 2010-11-29 22:34:03 UTC
I don't think mono 2.8 is ready to go stable yet :-/
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2011-03-22 22:01:37 UTC
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.

GLSA Vote: No.
Comment 5 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 22:01:06 UTC
Vote: YES. Added to pending GLSA request.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-21 20:53:31 UTC
This issue was resolved and addressed in
 GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).