Mandriva Linux Security Advisory - CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue.
e87336d272aa0fa7befce21c24fe58db23bac3604b093f6100a5f4f014144c58
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2008:210
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mono
Date : October 3, 2008
Affected: 2007.1, 2008.0, 2008.1
_______________________________________________________________________
Problem Description:
CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string.
The updated packages have been patched to fix the issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2007.1:
33213a75545728ba80dabc78854376aa 2007.1/i586/jay-1.2.3.1-4.2mdv2007.1.i586.rpm
2879f218520f88400db457f3696fa752 2007.1/i586/libmono0-1.2.3.1-4.2mdv2007.1.i586.rpm
da6ba149545134c7f551afd5a3822fce 2007.1/i586/libmono0-devel-1.2.3.1-4.2mdv2007.1.i586.rpm
7cc6408f71a5d1b78434fd688172bfab 2007.1/i586/mono-1.2.3.1-4.2mdv2007.1.i586.rpm
c6b9d4e73ee8a80efef6ab3722b39512 2007.1/i586/mono-bytefx-data-mysql-1.2.3.1-4.2mdv2007.1.i586.rpm
d7c43bee87f7eec42fb1d5a04b5f4b91 2007.1/i586/mono-data-1.2.3.1-4.2mdv2007.1.i586.rpm
02c86ffbd50722810e3fe0d52ef71f12 2007.1/i586/mono-data-firebird-1.2.3.1-4.2mdv2007.1.i586.rpm
fd99fa689b0bd8b5f182c438fb176ea8 2007.1/i586/mono-data-oracle-1.2.3.1-4.2mdv2007.1.i586.rpm
dc767934e9c968aa2c8c04dac55f028d 2007.1/i586/mono-data-postgresql-1.2.3.1-4.2mdv2007.1.i586.rpm
ec8bf1ec89443da0b08adcbc8b276eaf 2007.1/i586/mono-data-sqlite-1.2.3.1-4.2mdv2007.1.i586.rpm
2a24841df688f5d547e105c6e1789e7f 2007.1/i586/mono-data-sybase-1.2.3.1-4.2mdv2007.1.i586.rpm
c40e6ee882c2da9afa9a2497f9c7cc4f 2007.1/i586/mono-doc-1.2.3.1-4.2mdv2007.1.i586.rpm
5f9531eed6e615513d3f50f9b9b18fa6 2007.1/i586/mono-extras-1.2.3.1-4.2mdv2007.1.i586.rpm
7d54fa08d53d55b11a22b1950e100b4d 2007.1/i586/mono-ibm-data-db2-1.2.3.1-4.2mdv2007.1.i586.rpm
6191d7249a7e53719df10a62ee2feb29 2007.1/i586/mono-jscript-1.2.3.1-4.2mdv2007.1.i586.rpm
ce55d1111f656b8e5b2e6a985604104b 2007.1/i586/mono-locale-extras-1.2.3.1-4.2mdv2007.1.i586.rpm
230155cb67b8e86c29069fce862c21ce 2007.1/i586/mono-nunit-1.2.3.1-4.2mdv2007.1.i586.rpm
51e6a81000c3c1b912ed48fe0fd02d0b 2007.1/i586/mono-web-1.2.3.1-4.2mdv2007.1.i586.rpm
82e603977eeb1c1b4a0fe1f1fbb4b895 2007.1/i586/mono-winforms-1.2.3.1-4.2mdv2007.1.i586.rpm
44c5527b4696108d04a11dc21867140b 2007.1/SRPMS/mono-1.2.3.1-4.2mdv2007.1.src.rpm
Mandriva Linux 2007.1/X86_64:
61204f9f669c4ea0585f352b058211d1 2007.1/x86_64/jay-1.2.3.1-4.2mdv2007.1.x86_64.rpm
21ab48222f9a4c929e7344b2c869e351 2007.1/x86_64/lib64mono0-1.2.3.1-4.2mdv2007.1.x86_64.rpm
515be0e0ca293391af8f76655ea97446 2007.1/x86_64/lib64mono0-devel-1.2.3.1-4.2mdv2007.1.x86_64.rpm
cfa21e3aed6192000e19ff4523cca043 2007.1/x86_64/mono-1.2.3.1-4.2mdv2007.1.x86_64.rpm
f91dcc299003ce78dbbd3f9e9b7d86ed 2007.1/x86_64/mono-bytefx-data-mysql-1.2.3.1-4.2mdv2007.1.x86_64.rpm
72238f1d1a71022f8cb28f515ed4b640 2007.1/x86_64/mono-data-1.2.3.1-4.2mdv2007.1.x86_64.rpm
00078841edbd27e68c261745a34188b3 2007.1/x86_64/mono-data-firebird-1.2.3.1-4.2mdv2007.1.x86_64.rpm
523c29691a8a279bf0d7d4536d5a3abb 2007.1/x86_64/mono-data-oracle-1.2.3.1-4.2mdv2007.1.x86_64.rpm
9b6a658fc9b121a6ea1d437f83d2a850 2007.1/x86_64/mono-data-postgresql-1.2.3.1-4.2mdv2007.1.x86_64.rpm
0dfde2a38caf1d5c27b1b3a25b409f6b 2007.1/x86_64/mono-data-sqlite-1.2.3.1-4.2mdv2007.1.x86_64.rpm
90225a6ea8da883c0baae11ba9c6e78f 2007.1/x86_64/mono-data-sybase-1.2.3.1-4.2mdv2007.1.x86_64.rpm
bc71d8a12be676d91265cc7df7248ecd 2007.1/x86_64/mono-doc-1.2.3.1-4.2mdv2007.1.x86_64.rpm
b54455349e3445e00087526417254abf 2007.1/x86_64/mono-extras-1.2.3.1-4.2mdv2007.1.x86_64.rpm
d39cf678f1e9308519a1636f7ea92f1f 2007.1/x86_64/mono-ibm-data-db2-1.2.3.1-4.2mdv2007.1.x86_64.rpm
40a47b86f9147c4d29349c0e4f11c9cd 2007.1/x86_64/mono-jscript-1.2.3.1-4.2mdv2007.1.x86_64.rpm
d12d432fe87289ff96c09c2aad636b41 2007.1/x86_64/mono-locale-extras-1.2.3.1-4.2mdv2007.1.x86_64.rpm
a8d85b4b9459841b0e81745212f12c17 2007.1/x86_64/mono-nunit-1.2.3.1-4.2mdv2007.1.x86_64.rpm
3a6f55b9cc54633556ba587cab35c85c 2007.1/x86_64/mono-web-1.2.3.1-4.2mdv2007.1.x86_64.rpm
1f7a0a2e9820094dc620775734d5753a 2007.1/x86_64/mono-winforms-1.2.3.1-4.2mdv2007.1.x86_64.rpm
44c5527b4696108d04a11dc21867140b 2007.1/SRPMS/mono-1.2.3.1-4.2mdv2007.1.src.rpm
Mandriva Linux 2008.0:
e440db67f8ec5d285a7e302f67c54602 2008.0/i586/jay-1.2.5-4.2mdv2008.0.i586.rpm
0e6b2a56bf2afa7e7efe9d2b81a4b1e7 2008.0/i586/libmono0-1.2.5-4.2mdv2008.0.i586.rpm
2e3bedd273b74ef985f0664c3fe41091 2008.0/i586/libmono-devel-1.2.5-4.2mdv2008.0.i586.rpm
dc7843f9b8449c0284b710772a42b79d 2008.0/i586/mono-1.2.5-4.2mdv2008.0.i586.rpm
c61c9a71127ce59ed0c3258644a6c054 2008.0/i586/mono-bytefx-data-mysql-1.2.5-4.2mdv2008.0.i586.rpm
b7df0cbe0dd9d06493f560ed42e9c5c5 2008.0/i586/mono-data-1.2.5-4.2mdv2008.0.i586.rpm
92bf88ceb2f0682f8ab1c41aa9e29c48 2008.0/i586/mono-data-firebird-1.2.5-4.2mdv2008.0.i586.rpm
0f237a9773c57876762c4008c667f5ae 2008.0/i586/mono-data-oracle-1.2.5-4.2mdv2008.0.i586.rpm
e47ac96e6ff386dc0c9ea6813bcc8e86 2008.0/i586/mono-data-postgresql-1.2.5-4.2mdv2008.0.i586.rpm
b5e211ed04aa0fe9d42319e62cd5ec16 2008.0/i586/mono-data-sqlite-1.2.5-4.2mdv2008.0.i586.rpm
afee74831573c3a011fc75189000e40b 2008.0/i586/mono-data-sybase-1.2.5-4.2mdv2008.0.i586.rpm
8b9444c3357dbeaf9e01759bb540af13 2008.0/i586/mono-doc-1.2.5-4.2mdv2008.0.i586.rpm
2b13edcb7a0faf24eb476e040abdcf89 2008.0/i586/mono-extras-1.2.5-4.2mdv2008.0.i586.rpm
c9afd81fbd68b3af35d59e0029b05a18 2008.0/i586/mono-ibm-data-db2-1.2.5-4.2mdv2008.0.i586.rpm
844c2c859538f6097ffacc2185112aa7 2008.0/i586/mono-jscript-1.2.5-4.2mdv2008.0.i586.rpm
39b14d20448512d84853abd3816f2b00 2008.0/i586/mono-locale-extras-1.2.5-4.2mdv2008.0.i586.rpm
1db3fc6392a7027e4f906120eff6c5f4 2008.0/i586/mono-nunit-1.2.5-4.2mdv2008.0.i586.rpm
b9ab59d2f6d7bb88aec28cfd58f4a3e1 2008.0/i586/mono-web-1.2.5-4.2mdv2008.0.i586.rpm
c3ca573bd2df5045e158edeee7100ac1 2008.0/i586/mono-winforms-1.2.5-4.2mdv2008.0.i586.rpm
5774758e02d44a1e25954a282dcec114 2008.0/SRPMS/mono-1.2.5-4.2mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
887d7492f9d184d321e2b50078a2960b 2008.0/x86_64/jay-1.2.5-4.2mdv2008.0.x86_64.rpm
fe81bf7e97b92e0e7df76e53a553d677 2008.0/x86_64/lib64mono0-1.2.5-4.2mdv2008.0.x86_64.rpm
db16848f3751a405c858b95252b2bf30 2008.0/x86_64/lib64mono-devel-1.2.5-4.2mdv2008.0.x86_64.rpm
820045515f0cda949c6c47728963f6e5 2008.0/x86_64/mono-1.2.5-4.2mdv2008.0.x86_64.rpm
e292ceaa2e468e15671796c226f7180a 2008.0/x86_64/mono-bytefx-data-mysql-1.2.5-4.2mdv2008.0.x86_64.rpm
ea7ba847015e1990a3bf4d2317084191 2008.0/x86_64/mono-data-1.2.5-4.2mdv2008.0.x86_64.rpm
9166aecd5a003a46b4b231f239d288fa 2008.0/x86_64/mono-data-firebird-1.2.5-4.2mdv2008.0.x86_64.rpm
b899d6863e2f26a66720f5044524ed3d 2008.0/x86_64/mono-data-oracle-1.2.5-4.2mdv2008.0.x86_64.rpm
8772d8ffa4f1f28f7c93d80dbe5ef295 2008.0/x86_64/mono-data-postgresql-1.2.5-4.2mdv2008.0.x86_64.rpm
4af23a4d43ea4ec9b2c1082775ead565 2008.0/x86_64/mono-data-sqlite-1.2.5-4.2mdv2008.0.x86_64.rpm
a294cd3e480c06bde1d3a89afae9dc46 2008.0/x86_64/mono-data-sybase-1.2.5-4.2mdv2008.0.x86_64.rpm
a43f6184f2cd50fab287d940bee99341 2008.0/x86_64/mono-doc-1.2.5-4.2mdv2008.0.x86_64.rpm
8df7250391e48bc12134dd92aaee3f2a 2008.0/x86_64/mono-extras-1.2.5-4.2mdv2008.0.x86_64.rpm
48f3c83b2cfd25354211ecf5080b3f52 2008.0/x86_64/mono-ibm-data-db2-1.2.5-4.2mdv2008.0.x86_64.rpm
f1d2bd1f6b7884474697203d011b7f41 2008.0/x86_64/mono-jscript-1.2.5-4.2mdv2008.0.x86_64.rpm
3696ebc448c50f9003cba99d82b352bc 2008.0/x86_64/mono-locale-extras-1.2.5-4.2mdv2008.0.x86_64.rpm
7b6f80e0648df7063a58a970d458d1af 2008.0/x86_64/mono-nunit-1.2.5-4.2mdv2008.0.x86_64.rpm
53ea6788122b45c2ecd03973424fde8b 2008.0/x86_64/mono-web-1.2.5-4.2mdv2008.0.x86_64.rpm
d57531d94f57264f635b4ece3d415798 2008.0/x86_64/mono-winforms-1.2.5-4.2mdv2008.0.x86_64.rpm
5774758e02d44a1e25954a282dcec114 2008.0/SRPMS/mono-1.2.5-4.2mdv2008.0.src.rpm
Mandriva Linux 2008.1:
c2a6a54629cda03a711b15d956ad48f1 2008.1/i586/jay-1.2.6-4.1mdv2008.1.i586.rpm
b2cdd14102b90342d3abc389ba3610b8 2008.1/i586/libmono0-1.2.6-4.1mdv2008.1.i586.rpm
45abeafb948f63b555399292ac1c155c 2008.1/i586/libmono-devel-1.2.6-4.1mdv2008.1.i586.rpm
5163daca32007961de96a4aed0ee3576 2008.1/i586/mono-1.2.6-4.1mdv2008.1.i586.rpm
b269506c27ed8b7a01ea6fd04aa68b2c 2008.1/i586/mono-bytefx-data-mysql-1.2.6-4.1mdv2008.1.i586.rpm
3763c1004ab62d125ae2e656e8e3bead 2008.1/i586/mono-data-1.2.6-4.1mdv2008.1.i586.rpm
706a44056e1498be81465db9d9ab1930 2008.1/i586/mono-data-firebird-1.2.6-4.1mdv2008.1.i586.rpm
3cea1df02c8ecf3a6318a91fd93a8df4 2008.1/i586/mono-data-oracle-1.2.6-4.1mdv2008.1.i586.rpm
752d16b45dc2a423a43b0c6e98262f5c 2008.1/i586/mono-data-postgresql-1.2.6-4.1mdv2008.1.i586.rpm
3f426b28984451a81be9bdbc16731c11 2008.1/i586/mono-data-sqlite-1.2.6-4.1mdv2008.1.i586.rpm
79a222d28afb85666b66b16656b6db01 2008.1/i586/mono-data-sybase-1.2.6-4.1mdv2008.1.i586.rpm
45eae87984a073a7b8dfa059857994c6 2008.1/i586/mono-doc-1.2.6-4.1mdv2008.1.i586.rpm
99ebd7c0ff7bae26c203444a3006b1ae 2008.1/i586/mono-extras-1.2.6-4.1mdv2008.1.i586.rpm
fc6467c8bf378553c1ce1212cdf862e6 2008.1/i586/mono-ibm-data-db2-1.2.6-4.1mdv2008.1.i586.rpm
7c5bd0f7060fb7e8584949be3b02e48e 2008.1/i586/mono-jscript-1.2.6-4.1mdv2008.1.i586.rpm
d8924d716ea0ca0b0d4cdbfd8716c8a7 2008.1/i586/mono-locale-extras-1.2.6-4.1mdv2008.1.i586.rpm
d9066626a5d602a21e0e83743cbba98f 2008.1/i586/mono-nunit-1.2.6-4.1mdv2008.1.i586.rpm
508f141816c872cbfb2ba33d2333c20d 2008.1/i586/mono-web-1.2.6-4.1mdv2008.1.i586.rpm
fe6afbabdedd6bed5b6787fd32e555cf 2008.1/i586/mono-winforms-1.2.6-4.1mdv2008.1.i586.rpm
ec2b756483755c770a038a89fa2b4558 2008.1/SRPMS/mono-1.2.6-4.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
38159f51314a664bda8be4d5ac78c838 2008.1/x86_64/jay-1.2.6-4.1mdv2008.1.x86_64.rpm
3867b5b1c6b833aef4a3200025c11698 2008.1/x86_64/lib64mono0-1.2.6-4.1mdv2008.1.x86_64.rpm
9b34901a35a959f92c7ccf41dc622e7d 2008.1/x86_64/lib64mono-devel-1.2.6-4.1mdv2008.1.x86_64.rpm
f58d94a88270d64ab65518487ade64c1 2008.1/x86_64/mono-1.2.6-4.1mdv2008.1.x86_64.rpm
6c2b4395b61edf9e90947f8b31df174a 2008.1/x86_64/mono-bytefx-data-mysql-1.2.6-4.1mdv2008.1.x86_64.rpm
bc13ae1bf13544a69c6d4c65571fc6c1 2008.1/x86_64/mono-data-1.2.6-4.1mdv2008.1.x86_64.rpm
2ff830e90768927b2313fca1bd2e3867 2008.1/x86_64/mono-data-firebird-1.2.6-4.1mdv2008.1.x86_64.rpm
5670152b5beb3d7df66b992b6129cf78 2008.1/x86_64/mono-data-oracle-1.2.6-4.1mdv2008.1.x86_64.rpm
5d35833bc95cba9bc9e6612545f3d5ef 2008.1/x86_64/mono-data-postgresql-1.2.6-4.1mdv2008.1.x86_64.rpm
c928b1106a8549f390921be5586bb8d3 2008.1/x86_64/mono-data-sqlite-1.2.6-4.1mdv2008.1.x86_64.rpm
c73fe1acfe6bad1464ded4d0ec07d0ab 2008.1/x86_64/mono-data-sybase-1.2.6-4.1mdv2008.1.x86_64.rpm
71ede1c3f537727f9bed64bf907d505d 2008.1/x86_64/mono-doc-1.2.6-4.1mdv2008.1.x86_64.rpm
13bc42bb77fb01c5472f9346959a54fc 2008.1/x86_64/mono-extras-1.2.6-4.1mdv2008.1.x86_64.rpm
324d7824f09943da2782d8e9882556a2 2008.1/x86_64/mono-ibm-data-db2-1.2.6-4.1mdv2008.1.x86_64.rpm
178b5f1897be0b1a8345f6f789c5d114 2008.1/x86_64/mono-jscript-1.2.6-4.1mdv2008.1.x86_64.rpm
24bcfc417441e037bb3699c15f6138d0 2008.1/x86_64/mono-locale-extras-1.2.6-4.1mdv2008.1.x86_64.rpm
78856fb36cc4ba34f2f1a5866f4d8286 2008.1/x86_64/mono-nunit-1.2.6-4.1mdv2008.1.x86_64.rpm
a0565351873bddd9d211a98d1467f055 2008.1/x86_64/mono-web-1.2.6-4.1mdv2008.1.x86_64.rpm
00ae4d7f9547719004cd18269f656fa2 2008.1/x86_64/mono-winforms-1.2.6-4.1mdv2008.1.x86_64.rpm
ec2b756483755c770a038a89fa2b4558 2008.1/SRPMS/mono-1.2.6-4.1mdv2008.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFI5ohPmqjQ0CJFipgRAjYIAKCzXMe3gTau6/loKPvYMIe5OL93WACg7uz+
eS11qH2o6fIDbh/ulAFmrpg=
=McWr
-----END PGP SIGNATURE-----