Summary: | <dev-lang/mono-2.8.2: ASP.NET Source Code Disclosure Vulnerability (CVE-2010-4225) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dotnet |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.mono-project.com/Vulnerabilities#XSP.2Fmod_mono_source_code_disclosure | ||
Whiteboard: | B3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 352808, 359651 | ||
Bug Blocks: |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-01-08 06:20:12 UTC
+*mono-2.8.2 (25 Jan 2011) + + 25 Jan 2011; Pacho Ramos <pacho@gentoo.org> -mono-2.8.1-r1.ebuild, + +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch: + Version bump, remove old testing and 9999 version since it's not really + maintained downstream. + But I am still unable to bump moonlight to a working version with mono-2.8 :-S (bug #340375) Okay, our stabilization target is =dev-lang/mono-2.8.2 Bug #340375 is probably going to block this, but there might be more, so CC-ing arches now. Can we wait a bit more for getting it stabilized or is this a too major security problem? I will probably open a bug with a list of dotnet related things to stabilize (including mono-2.8.2 and others), but I would like to wait a bit also for bug 346135 (and will probably hardmask moonlight until they release a fixed tarball for 2.99.x) This and other security problems will be solved with bug 351087 Fixed packages have been stabilized via 352808 and, for ppc only, 359651. GLSA Vote: yes. CVE-2010-4225 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225): Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x before 2.8.2 allows remote attackers to obtain the source code for .aspx (ASP.NET) applications via unknown vectors related to an "unloading bug." Vote: YES. Added to pending GLSA request. This issue was resolved and addressed in GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml by GLSA coordinator Tobias Heinlein (keytoaster). |