- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201206-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Mono: Multiple vulnerabilities Date: June 21, 2012 Bugs: #277878, #342133, #345561, #346401, #351087, #372983 ID: 201206-13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities were found in Mono, the worst of which allowing for the remote execution of arbitrary code. Background ========== Mono is an open source implementation of Microsoft's .NET Framework. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 dev-util/mono-debugger < 2.8.1-r1 >= 2.8.1-r1 2 dev-lang/mono < 2.10.2-r1 >= 2.10.2-r1 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Mono and Mono debugger. Please review the CVE identifiers referenced below for details. Impact ====== A remote attacker could execute arbitrary code, bypass general constraints, obtain the source code for .aspx applications, obtain other sensitive information, cause a Denial of Service, modify internal data structures, or corrupt the internal state of the security manager. A local attacker could entice a user into running Mono debugger in a directory containing a specially crafted library file to execute arbitrary code with the privileges of the user running Mono debugger. A context-dependant attacker could bypass the authentication mechanism provided by the XML Signature specification. Workaround ========== There is no known workaround at this time. Resolution ========== All Mono debugger users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=dev-util/mono-debugger-2.8.1-r1" All Mono users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/mono-2.10.2-r1" References ========== [ 1 ] CVE-2009-0217 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0217 [ 2 ] CVE-2010-3332 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3332 [ 3 ] CVE-2010-3369 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3369 [ 4 ] CVE-2010-4159 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4159 [ 5 ] CVE-2010-4225 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4225 [ 6 ] CVE-2010-4254 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4254 [ 7 ] CVE-2011-0989 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0989 [ 8 ] CVE-2011-0990 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0990 [ 9 ] CVE-2011-0991 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0991 [ 10 ] CVE-2011-0992 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0992 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201206-13.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5