Summary: | <dev-lang/mono-2.10.9-r1: XSS in ProcessRequest function (CVE-2012-3382) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | the_eccentric |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | dotnet |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2012/07/06/11 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
the_eccentric
2012-07-15 10:31:19 UTC
CVE-2012-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3382): Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message. Is 2.10.9 affected too? (In reply to comment #2) > Is 2.10.9 affected too? Yes. +*mono-2.10.9-r1 (21 Jul 2012) + + 21 Jul 2012; Pacho Ramos <pacho@gentoo.org> + +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild, + -mono-2.10.9.ebuild: + Fix CVE-2012-3382 (#426688), drop old. + Feel free to stabilize it (In reply to comment #4) > +*mono-2.10.9-r1 (21 Jul 2012) > + > + 21 Jul 2012; Pacho Ramos <pacho@gentoo.org> > + +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild, > + -mono-2.10.9.ebuild: > + Fix CVE-2012-3382 (#426688), drop old. > + > > Feel free to stabilize it Thanks, Pacho. Arches, please test and mark stable: =dev-lang/mono-2.10.9-r1 Target Keywords: "amd64 ppc x86" x86 stable amd64 stable ppc stable. Thanks, folks. Closing noglsa for XSS. |