CVE-2008-3422 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3422): Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted attributes related to (1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs (RenderAttributes), (3) HtmlInputButton (RenderAttributes), (4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect (RenderChildren).
Patches @ svn://anonsvn.mono-project.com/source mono-1-9 : 109358 mono-2-0 : 109348 trunk : 109349
There is also a header injection issue, see here: https://bugzilla.novell.com/show_bug.cgi?id=418620 Quote: Fixes for the following Mono branches have been committed: branches/mono-1-1-7 (r111116) branches/mono-1-1-18 (r111117) branches/mono-1-2-2 (r111118) branches/mono-1-2-5 (r111119) branches/mono-1-9 (r111120) Second part of the fix (implementation for 1.1) committed to the following branches: trunk (r111122) branches/mono-2-0 (r111123) branches/mono-1-1-7 (r111125) branches/mono-1-1-18 (r111126) branches/mono-1-2-2 (r111127) branches/mono-1-2-5 (r111128) branches/mono-1-9 (r111129)
CVE-2008-3906 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-3906): CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string.
2.0 stable, GLSA-ready.
GLSA decision, i vote NO.
confirmed that dev-lang/mono-2.0.1-r1 carries all fixes. voting NO.