An unloading bug can, under some circumstances, let ASP.NET applications misbehave and return the source code (.aspx) of the application or any other file in the web application directory.
A vulnerability has been reported in Mono, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an unspecified error within the "mod_mono" module and can be exploited to disclose the source code of ASPX scripts.
The vulnerability is reported in versions prior to 2.8.2.
+*mono-2.8.2 (25 Jan 2011)
+ 25 Jan 2011; Pacho Ramos <firstname.lastname@example.org> -mono-2.8.1-r1.ebuild,
+ +mono-2.8.2.ebuild, -mono-9999.ebuild, -files/mono-9999-libdir.patch:
+ Version bump, remove old testing and 9999 version since it's not really
+ maintained downstream.
But I am still unable to bump moonlight to a working version with mono-2.8 :-S (bug #340375)
Okay, our stabilization target is =dev-lang/mono-2.8.2
Bug #340375 is probably going to block this, but there might be more, so CC-ing arches now.
Can we wait a bit more for getting it stabilized or is this a too major security problem?
I will probably open a bug with a list of dotnet related things to stabilize (including mono-2.8.2 and others), but I would like to wait a bit also for bug 346135 (and will probably hardmask moonlight until they release a fixed tarball for 2.99.x)
This and other security problems will be solved with bug 351087
Fixed packages have been stabilized via 352808 and, for ppc only, 359651.
GLSA Vote: yes.
Unspecified vulnerability in the mod_mono module for XSP in Mono 2.8.x
before 2.8.2 allows remote attackers to obtain the source code for .aspx
(ASP.NET) applications via unknown vectors related to an "unloading bug."
Vote: YES. Added to pending GLSA request.
This issue was resolved and addressed in
GLSA 201206-13 at http://security.gentoo.org/glsa/glsa-201206-13.xml
by GLSA coordinator Tobias Heinlein (keytoaster).