Mandriva Linux Security Advisory 2009-269 - The XML HMAC signature system in mono did not correctly check certain lengths. If an attacker sent a truncated HMAC, it could bypass authentication, leading to potential privilege escalation. This update fixes this vulnerability.
98f6697d9cf09bb45bb080488af86cfc2efa174ebb20dbc53a7a8d92b104c124
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:269
http://www.mandriva.com/security/
_______________________________________________________________________
Package : mono
Date : October 12, 2009
Affected: 2009.1
_______________________________________________________________________
Problem Description:
A vulnerability has been found and corrected in mono:
The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
(CVE-2009-0217).
This update fixes this vulnerability.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0217
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.1:
96e9b3a164ba54df856e53d75f9a770e 2009.1/i586/jay-2.2-2.1mdv2009.1.i586.rpm
4f4670e50e1b8ebab0ae1c4b26a08fd0 2009.1/i586/libmono0-2.2-2.1mdv2009.1.i586.rpm
e3744379037dabebe6d42673d9eabe5b 2009.1/i586/libmono-devel-2.2-2.1mdv2009.1.i586.rpm
4a56747ad655d38fa12b1058d9064074 2009.1/i586/mono-2.2-2.1mdv2009.1.i586.rpm
003d4591273b096b5821e23568cf5e0a 2009.1/i586/mono-bytefx-data-mysql-2.2-2.1mdv2009.1.i586.rpm
d9e290994110aa9dd017c660000bddd7 2009.1/i586/mono-data-2.2-2.1mdv2009.1.i586.rpm
458f50bfd97cc07af88810454b010e1f 2009.1/i586/mono-data-firebird-2.2-2.1mdv2009.1.i586.rpm
9a1d5cb0870076d0295c3acf47c0f71f 2009.1/i586/mono-data-oracle-2.2-2.1mdv2009.1.i586.rpm
1122700a1b4c50a730ad4750854ab240 2009.1/i586/mono-data-postgresql-2.2-2.1mdv2009.1.i586.rpm
dbd00c88b8c0d2cdd63abb17af398c27 2009.1/i586/mono-data-sqlite-2.2-2.1mdv2009.1.i586.rpm
3b3aa065531b9799deada8bd05f19916 2009.1/i586/mono-data-sybase-2.2-2.1mdv2009.1.i586.rpm
61f0442d103a426463656bc904b14616 2009.1/i586/mono-doc-2.2-2.1mdv2009.1.i586.rpm
7040660051b34492e967987f51ece5af 2009.1/i586/monodoc-core-2.2-2.1mdv2009.1.i586.rpm
00cd782fe8c4e709027d4971d29b8b3e 2009.1/i586/mono-extras-2.2-2.1mdv2009.1.i586.rpm
0f806054daf0af31829fe2b0354250f4 2009.1/i586/mono-ibm-data-db2-2.2-2.1mdv2009.1.i586.rpm
f930305f456043350c81e3c44f19bb31 2009.1/i586/mono-jscript-2.2-2.1mdv2009.1.i586.rpm
189188a2077200423f6161b426204037 2009.1/i586/mono-locale-extras-2.2-2.1mdv2009.1.i586.rpm
a237cc30a57ea6558fa26a04b9f3651b 2009.1/i586/mono-nunit-2.2-2.1mdv2009.1.i586.rpm
382a16b45688e1643f1891b3d1d95a22 2009.1/i586/mono-wcf-2.2-2.1mdv2009.1.i586.rpm
f4e6ada2408f0da6a96fdb28e3999049 2009.1/i586/mono-web-2.2-2.1mdv2009.1.i586.rpm
cfe865c6c6fc5e1fa705d169595b0b4d 2009.1/i586/mono-winforms-2.2-2.1mdv2009.1.i586.rpm
7232fac0d533279ca536237489068246 2009.1/SRPMS/mono-2.2-2.1mdv2009.1.src.rpm
Mandriva Linux 2009.1/X86_64:
bff1779d589c70471dbb6b05ee82e227 2009.1/x86_64/jay-2.2-2.1mdv2009.1.x86_64.rpm
a03b05d0e5f94da47e5c3105b2d0df22 2009.1/x86_64/lib64mono0-2.2-2.1mdv2009.1.x86_64.rpm
828983abe2dcb2d8a2967458bb90588f 2009.1/x86_64/lib64mono-devel-2.2-2.1mdv2009.1.x86_64.rpm
0c60ed0e602dcae3ec7308ee937133b0 2009.1/x86_64/mono-2.2-2.1mdv2009.1.x86_64.rpm
8bc1829108be95bb5e69a2ae3a920d5c 2009.1/x86_64/mono-bytefx-data-mysql-2.2-2.1mdv2009.1.x86_64.rpm
85ae4608e417cdb09f22e8105010666f 2009.1/x86_64/mono-data-2.2-2.1mdv2009.1.x86_64.rpm
3e280a15afa1e0e49260d0a1cab64ba9 2009.1/x86_64/mono-data-firebird-2.2-2.1mdv2009.1.x86_64.rpm
8b46279669d7058b4e694f10abfc5a71 2009.1/x86_64/mono-data-oracle-2.2-2.1mdv2009.1.x86_64.rpm
08bb987e63fa734630fa42cbd4765e5f 2009.1/x86_64/mono-data-postgresql-2.2-2.1mdv2009.1.x86_64.rpm
0de9d14ce9a694486ed1fc61fc849622 2009.1/x86_64/mono-data-sqlite-2.2-2.1mdv2009.1.x86_64.rpm
22686169abac34886e19a8e8ae317a2d 2009.1/x86_64/mono-data-sybase-2.2-2.1mdv2009.1.x86_64.rpm
ac03ca7841196be3fb34cb952d426078 2009.1/x86_64/mono-doc-2.2-2.1mdv2009.1.x86_64.rpm
a36a5699db35f9e265a2082cb9d47d9a 2009.1/x86_64/monodoc-core-2.2-2.1mdv2009.1.x86_64.rpm
96bf175550b6f4ae2713711c603226a5 2009.1/x86_64/mono-extras-2.2-2.1mdv2009.1.x86_64.rpm
da4fd7e69ca81b3ac9c633905699b706 2009.1/x86_64/mono-ibm-data-db2-2.2-2.1mdv2009.1.x86_64.rpm
d31b2c8140166736ce6a4adb00c9b2f7 2009.1/x86_64/mono-jscript-2.2-2.1mdv2009.1.x86_64.rpm
158058655ac916fb99bd9b16dab7f6c2 2009.1/x86_64/mono-locale-extras-2.2-2.1mdv2009.1.x86_64.rpm
1c4a616ecab13e6ecd21fc236fd0f075 2009.1/x86_64/mono-nunit-2.2-2.1mdv2009.1.x86_64.rpm
9cbdfc4932b805bbe20c8efd313b11c0 2009.1/x86_64/mono-wcf-2.2-2.1mdv2009.1.x86_64.rpm
e6a47f1c4de5510bee4219e90380e679 2009.1/x86_64/mono-web-2.2-2.1mdv2009.1.x86_64.rpm
85901b71e4bea731f859f5fafdcb741f 2009.1/x86_64/mono-winforms-2.2-2.1mdv2009.1.x86_64.rpm
7232fac0d533279ca536237489068246 2009.1/SRPMS/mono-2.2-2.1mdv2009.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFK0wvymqjQ0CJFipgRAlhzAKDoXKLa2qW+Id1s0NHhWhk3kqgiCQCdEp47
oPQSF0uxU0unkgRuLO7EGpY=
=xrI4
-----END PGP SIGNATURE-----