Common Vulnerabilities and Exposures assigned an identifier CVE-2012-3382 to the following vulnerability: Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message. References: [1] http://www.openwall.com/lists/oss-security/2012/07/06/11 [2] https://bugzilla.novell.com/show_bug.cgi?id=769799 Upstream patch: [3] https://github.com/mono/mono/commit/d16d4623edb210635bec3ca3786481b82cde25a2
CVE-2012-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3382): Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message.
Is 2.10.9 affected too?
(In reply to comment #2) > Is 2.10.9 affected too? Yes.
+*mono-2.10.9-r1 (21 Jul 2012) + + 21 Jul 2012; Pacho Ramos <pacho@gentoo.org> + +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild, + -mono-2.10.9.ebuild: + Fix CVE-2012-3382 (#426688), drop old. + Feel free to stabilize it
(In reply to comment #4) > +*mono-2.10.9-r1 (21 Jul 2012) > + > + 21 Jul 2012; Pacho Ramos <pacho@gentoo.org> > + +files/mono-2.10.9-CVE-2012-3382.patch, +mono-2.10.9-r1.ebuild, > + -mono-2.10.9.ebuild: > + Fix CVE-2012-3382 (#426688), drop old. > + > > Feel free to stabilize it Thanks, Pacho. Arches, please test and mark stable: =dev-lang/mono-2.10.9-r1 Target Keywords: "amd64 ppc x86"
x86 stable
amd64 stable
ppc stable.
Thanks, folks. Closing noglsa for XSS.