-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2008:210 http://www.mandriva.com/security/ _______________________________________________________________________ Package : mono Date : October 3, 2008 Affected: 2007.1, 2008.0, 2008.1 _______________________________________________________________________ Problem Description: CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. The updated packages have been patched to fix the issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3906 _______________________________________________________________________ Updated Packages: Mandriva Linux 2007.1: 33213a75545728ba80dabc78854376aa 2007.1/i586/jay-1.2.3.1-4.2mdv2007.1.i586.rpm 2879f218520f88400db457f3696fa752 2007.1/i586/libmono0-1.2.3.1-4.2mdv2007.1.i586.rpm da6ba149545134c7f551afd5a3822fce 2007.1/i586/libmono0-devel-1.2.3.1-4.2mdv2007.1.i586.rpm 7cc6408f71a5d1b78434fd688172bfab 2007.1/i586/mono-1.2.3.1-4.2mdv2007.1.i586.rpm c6b9d4e73ee8a80efef6ab3722b39512 2007.1/i586/mono-bytefx-data-mysql-1.2.3.1-4.2mdv2007.1.i586.rpm d7c43bee87f7eec42fb1d5a04b5f4b91 2007.1/i586/mono-data-1.2.3.1-4.2mdv2007.1.i586.rpm 02c86ffbd50722810e3fe0d52ef71f12 2007.1/i586/mono-data-firebird-1.2.3.1-4.2mdv2007.1.i586.rpm fd99fa689b0bd8b5f182c438fb176ea8 2007.1/i586/mono-data-oracle-1.2.3.1-4.2mdv2007.1.i586.rpm dc767934e9c968aa2c8c04dac55f028d 2007.1/i586/mono-data-postgresql-1.2.3.1-4.2mdv2007.1.i586.rpm ec8bf1ec89443da0b08adcbc8b276eaf 2007.1/i586/mono-data-sqlite-1.2.3.1-4.2mdv2007.1.i586.rpm 2a24841df688f5d547e105c6e1789e7f 2007.1/i586/mono-data-sybase-1.2.3.1-4.2mdv2007.1.i586.rpm c40e6ee882c2da9afa9a2497f9c7cc4f 2007.1/i586/mono-doc-1.2.3.1-4.2mdv2007.1.i586.rpm 5f9531eed6e615513d3f50f9b9b18fa6 2007.1/i586/mono-extras-1.2.3.1-4.2mdv2007.1.i586.rpm 7d54fa08d53d55b11a22b1950e100b4d 2007.1/i586/mono-ibm-data-db2-1.2.3.1-4.2mdv2007.1.i586.rpm 6191d7249a7e53719df10a62ee2feb29 2007.1/i586/mono-jscript-1.2.3.1-4.2mdv2007.1.i586.rpm ce55d1111f656b8e5b2e6a985604104b 2007.1/i586/mono-locale-extras-1.2.3.1-4.2mdv2007.1.i586.rpm 230155cb67b8e86c29069fce862c21ce 2007.1/i586/mono-nunit-1.2.3.1-4.2mdv2007.1.i586.rpm 51e6a81000c3c1b912ed48fe0fd02d0b 2007.1/i586/mono-web-1.2.3.1-4.2mdv2007.1.i586.rpm 82e603977eeb1c1b4a0fe1f1fbb4b895 2007.1/i586/mono-winforms-1.2.3.1-4.2mdv2007.1.i586.rpm 44c5527b4696108d04a11dc21867140b 2007.1/SRPMS/mono-1.2.3.1-4.2mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 61204f9f669c4ea0585f352b058211d1 2007.1/x86_64/jay-1.2.3.1-4.2mdv2007.1.x86_64.rpm 21ab48222f9a4c929e7344b2c869e351 2007.1/x86_64/lib64mono0-1.2.3.1-4.2mdv2007.1.x86_64.rpm 515be0e0ca293391af8f76655ea97446 2007.1/x86_64/lib64mono0-devel-1.2.3.1-4.2mdv2007.1.x86_64.rpm cfa21e3aed6192000e19ff4523cca043 2007.1/x86_64/mono-1.2.3.1-4.2mdv2007.1.x86_64.rpm f91dcc299003ce78dbbd3f9e9b7d86ed 2007.1/x86_64/mono-bytefx-data-mysql-1.2.3.1-4.2mdv2007.1.x86_64.rpm 72238f1d1a71022f8cb28f515ed4b640 2007.1/x86_64/mono-data-1.2.3.1-4.2mdv2007.1.x86_64.rpm 00078841edbd27e68c261745a34188b3 2007.1/x86_64/mono-data-firebird-1.2.3.1-4.2mdv2007.1.x86_64.rpm 523c29691a8a279bf0d7d4536d5a3abb 2007.1/x86_64/mono-data-oracle-1.2.3.1-4.2mdv2007.1.x86_64.rpm 9b6a658fc9b121a6ea1d437f83d2a850 2007.1/x86_64/mono-data-postgresql-1.2.3.1-4.2mdv2007.1.x86_64.rpm 0dfde2a38caf1d5c27b1b3a25b409f6b 2007.1/x86_64/mono-data-sqlite-1.2.3.1-4.2mdv2007.1.x86_64.rpm 90225a6ea8da883c0baae11ba9c6e78f 2007.1/x86_64/mono-data-sybase-1.2.3.1-4.2mdv2007.1.x86_64.rpm bc71d8a12be676d91265cc7df7248ecd 2007.1/x86_64/mono-doc-1.2.3.1-4.2mdv2007.1.x86_64.rpm b54455349e3445e00087526417254abf 2007.1/x86_64/mono-extras-1.2.3.1-4.2mdv2007.1.x86_64.rpm d39cf678f1e9308519a1636f7ea92f1f 2007.1/x86_64/mono-ibm-data-db2-1.2.3.1-4.2mdv2007.1.x86_64.rpm 40a47b86f9147c4d29349c0e4f11c9cd 2007.1/x86_64/mono-jscript-1.2.3.1-4.2mdv2007.1.x86_64.rpm d12d432fe87289ff96c09c2aad636b41 2007.1/x86_64/mono-locale-extras-1.2.3.1-4.2mdv2007.1.x86_64.rpm a8d85b4b9459841b0e81745212f12c17 2007.1/x86_64/mono-nunit-1.2.3.1-4.2mdv2007.1.x86_64.rpm 3a6f55b9cc54633556ba587cab35c85c 2007.1/x86_64/mono-web-1.2.3.1-4.2mdv2007.1.x86_64.rpm 1f7a0a2e9820094dc620775734d5753a 2007.1/x86_64/mono-winforms-1.2.3.1-4.2mdv2007.1.x86_64.rpm 44c5527b4696108d04a11dc21867140b 2007.1/SRPMS/mono-1.2.3.1-4.2mdv2007.1.src.rpm Mandriva Linux 2008.0: e440db67f8ec5d285a7e302f67c54602 2008.0/i586/jay-1.2.5-4.2mdv2008.0.i586.rpm 0e6b2a56bf2afa7e7efe9d2b81a4b1e7 2008.0/i586/libmono0-1.2.5-4.2mdv2008.0.i586.rpm 2e3bedd273b74ef985f0664c3fe41091 2008.0/i586/libmono-devel-1.2.5-4.2mdv2008.0.i586.rpm dc7843f9b8449c0284b710772a42b79d 2008.0/i586/mono-1.2.5-4.2mdv2008.0.i586.rpm c61c9a71127ce59ed0c3258644a6c054 2008.0/i586/mono-bytefx-data-mysql-1.2.5-4.2mdv2008.0.i586.rpm b7df0cbe0dd9d06493f560ed42e9c5c5 2008.0/i586/mono-data-1.2.5-4.2mdv2008.0.i586.rpm 92bf88ceb2f0682f8ab1c41aa9e29c48 2008.0/i586/mono-data-firebird-1.2.5-4.2mdv2008.0.i586.rpm 0f237a9773c57876762c4008c667f5ae 2008.0/i586/mono-data-oracle-1.2.5-4.2mdv2008.0.i586.rpm e47ac96e6ff386dc0c9ea6813bcc8e86 2008.0/i586/mono-data-postgresql-1.2.5-4.2mdv2008.0.i586.rpm b5e211ed04aa0fe9d42319e62cd5ec16 2008.0/i586/mono-data-sqlite-1.2.5-4.2mdv2008.0.i586.rpm afee74831573c3a011fc75189000e40b 2008.0/i586/mono-data-sybase-1.2.5-4.2mdv2008.0.i586.rpm 8b9444c3357dbeaf9e01759bb540af13 2008.0/i586/mono-doc-1.2.5-4.2mdv2008.0.i586.rpm 2b13edcb7a0faf24eb476e040abdcf89 2008.0/i586/mono-extras-1.2.5-4.2mdv2008.0.i586.rpm c9afd81fbd68b3af35d59e0029b05a18 2008.0/i586/mono-ibm-data-db2-1.2.5-4.2mdv2008.0.i586.rpm 844c2c859538f6097ffacc2185112aa7 2008.0/i586/mono-jscript-1.2.5-4.2mdv2008.0.i586.rpm 39b14d20448512d84853abd3816f2b00 2008.0/i586/mono-locale-extras-1.2.5-4.2mdv2008.0.i586.rpm 1db3fc6392a7027e4f906120eff6c5f4 2008.0/i586/mono-nunit-1.2.5-4.2mdv2008.0.i586.rpm b9ab59d2f6d7bb88aec28cfd58f4a3e1 2008.0/i586/mono-web-1.2.5-4.2mdv2008.0.i586.rpm c3ca573bd2df5045e158edeee7100ac1 2008.0/i586/mono-winforms-1.2.5-4.2mdv2008.0.i586.rpm 5774758e02d44a1e25954a282dcec114 2008.0/SRPMS/mono-1.2.5-4.2mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: 887d7492f9d184d321e2b50078a2960b 2008.0/x86_64/jay-1.2.5-4.2mdv2008.0.x86_64.rpm fe81bf7e97b92e0e7df76e53a553d677 2008.0/x86_64/lib64mono0-1.2.5-4.2mdv2008.0.x86_64.rpm db16848f3751a405c858b95252b2bf30 2008.0/x86_64/lib64mono-devel-1.2.5-4.2mdv2008.0.x86_64.rpm 820045515f0cda949c6c47728963f6e5 2008.0/x86_64/mono-1.2.5-4.2mdv2008.0.x86_64.rpm e292ceaa2e468e15671796c226f7180a 2008.0/x86_64/mono-bytefx-data-mysql-1.2.5-4.2mdv2008.0.x86_64.rpm ea7ba847015e1990a3bf4d2317084191 2008.0/x86_64/mono-data-1.2.5-4.2mdv2008.0.x86_64.rpm 9166aecd5a003a46b4b231f239d288fa 2008.0/x86_64/mono-data-firebird-1.2.5-4.2mdv2008.0.x86_64.rpm b899d6863e2f26a66720f5044524ed3d 2008.0/x86_64/mono-data-oracle-1.2.5-4.2mdv2008.0.x86_64.rpm 8772d8ffa4f1f28f7c93d80dbe5ef295 2008.0/x86_64/mono-data-postgresql-1.2.5-4.2mdv2008.0.x86_64.rpm 4af23a4d43ea4ec9b2c1082775ead565 2008.0/x86_64/mono-data-sqlite-1.2.5-4.2mdv2008.0.x86_64.rpm a294cd3e480c06bde1d3a89afae9dc46 2008.0/x86_64/mono-data-sybase-1.2.5-4.2mdv2008.0.x86_64.rpm a43f6184f2cd50fab287d940bee99341 2008.0/x86_64/mono-doc-1.2.5-4.2mdv2008.0.x86_64.rpm 8df7250391e48bc12134dd92aaee3f2a 2008.0/x86_64/mono-extras-1.2.5-4.2mdv2008.0.x86_64.rpm 48f3c83b2cfd25354211ecf5080b3f52 2008.0/x86_64/mono-ibm-data-db2-1.2.5-4.2mdv2008.0.x86_64.rpm f1d2bd1f6b7884474697203d011b7f41 2008.0/x86_64/mono-jscript-1.2.5-4.2mdv2008.0.x86_64.rpm 3696ebc448c50f9003cba99d82b352bc 2008.0/x86_64/mono-locale-extras-1.2.5-4.2mdv2008.0.x86_64.rpm 7b6f80e0648df7063a58a970d458d1af 2008.0/x86_64/mono-nunit-1.2.5-4.2mdv2008.0.x86_64.rpm 53ea6788122b45c2ecd03973424fde8b 2008.0/x86_64/mono-web-1.2.5-4.2mdv2008.0.x86_64.rpm d57531d94f57264f635b4ece3d415798 2008.0/x86_64/mono-winforms-1.2.5-4.2mdv2008.0.x86_64.rpm 5774758e02d44a1e25954a282dcec114 2008.0/SRPMS/mono-1.2.5-4.2mdv2008.0.src.rpm Mandriva Linux 2008.1: c2a6a54629cda03a711b15d956ad48f1 2008.1/i586/jay-1.2.6-4.1mdv2008.1.i586.rpm b2cdd14102b90342d3abc389ba3610b8 2008.1/i586/libmono0-1.2.6-4.1mdv2008.1.i586.rpm 45abeafb948f63b555399292ac1c155c 2008.1/i586/libmono-devel-1.2.6-4.1mdv2008.1.i586.rpm 5163daca32007961de96a4aed0ee3576 2008.1/i586/mono-1.2.6-4.1mdv2008.1.i586.rpm b269506c27ed8b7a01ea6fd04aa68b2c 2008.1/i586/mono-bytefx-data-mysql-1.2.6-4.1mdv2008.1.i586.rpm 3763c1004ab62d125ae2e656e8e3bead 2008.1/i586/mono-data-1.2.6-4.1mdv2008.1.i586.rpm 706a44056e1498be81465db9d9ab1930 2008.1/i586/mono-data-firebird-1.2.6-4.1mdv2008.1.i586.rpm 3cea1df02c8ecf3a6318a91fd93a8df4 2008.1/i586/mono-data-oracle-1.2.6-4.1mdv2008.1.i586.rpm 752d16b45dc2a423a43b0c6e98262f5c 2008.1/i586/mono-data-postgresql-1.2.6-4.1mdv2008.1.i586.rpm 3f426b28984451a81be9bdbc16731c11 2008.1/i586/mono-data-sqlite-1.2.6-4.1mdv2008.1.i586.rpm 79a222d28afb85666b66b16656b6db01 2008.1/i586/mono-data-sybase-1.2.6-4.1mdv2008.1.i586.rpm 45eae87984a073a7b8dfa059857994c6 2008.1/i586/mono-doc-1.2.6-4.1mdv2008.1.i586.rpm 99ebd7c0ff7bae26c203444a3006b1ae 2008.1/i586/mono-extras-1.2.6-4.1mdv2008.1.i586.rpm fc6467c8bf378553c1ce1212cdf862e6 2008.1/i586/mono-ibm-data-db2-1.2.6-4.1mdv2008.1.i586.rpm 7c5bd0f7060fb7e8584949be3b02e48e 2008.1/i586/mono-jscript-1.2.6-4.1mdv2008.1.i586.rpm d8924d716ea0ca0b0d4cdbfd8716c8a7 2008.1/i586/mono-locale-extras-1.2.6-4.1mdv2008.1.i586.rpm d9066626a5d602a21e0e83743cbba98f 2008.1/i586/mono-nunit-1.2.6-4.1mdv2008.1.i586.rpm 508f141816c872cbfb2ba33d2333c20d 2008.1/i586/mono-web-1.2.6-4.1mdv2008.1.i586.rpm fe6afbabdedd6bed5b6787fd32e555cf 2008.1/i586/mono-winforms-1.2.6-4.1mdv2008.1.i586.rpm ec2b756483755c770a038a89fa2b4558 2008.1/SRPMS/mono-1.2.6-4.1mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 38159f51314a664bda8be4d5ac78c838 2008.1/x86_64/jay-1.2.6-4.1mdv2008.1.x86_64.rpm 3867b5b1c6b833aef4a3200025c11698 2008.1/x86_64/lib64mono0-1.2.6-4.1mdv2008.1.x86_64.rpm 9b34901a35a959f92c7ccf41dc622e7d 2008.1/x86_64/lib64mono-devel-1.2.6-4.1mdv2008.1.x86_64.rpm f58d94a88270d64ab65518487ade64c1 2008.1/x86_64/mono-1.2.6-4.1mdv2008.1.x86_64.rpm 6c2b4395b61edf9e90947f8b31df174a 2008.1/x86_64/mono-bytefx-data-mysql-1.2.6-4.1mdv2008.1.x86_64.rpm bc13ae1bf13544a69c6d4c65571fc6c1 2008.1/x86_64/mono-data-1.2.6-4.1mdv2008.1.x86_64.rpm 2ff830e90768927b2313fca1bd2e3867 2008.1/x86_64/mono-data-firebird-1.2.6-4.1mdv2008.1.x86_64.rpm 5670152b5beb3d7df66b992b6129cf78 2008.1/x86_64/mono-data-oracle-1.2.6-4.1mdv2008.1.x86_64.rpm 5d35833bc95cba9bc9e6612545f3d5ef 2008.1/x86_64/mono-data-postgresql-1.2.6-4.1mdv2008.1.x86_64.rpm c928b1106a8549f390921be5586bb8d3 2008.1/x86_64/mono-data-sqlite-1.2.6-4.1mdv2008.1.x86_64.rpm c73fe1acfe6bad1464ded4d0ec07d0ab 2008.1/x86_64/mono-data-sybase-1.2.6-4.1mdv2008.1.x86_64.rpm 71ede1c3f537727f9bed64bf907d505d 2008.1/x86_64/mono-doc-1.2.6-4.1mdv2008.1.x86_64.rpm 13bc42bb77fb01c5472f9346959a54fc 2008.1/x86_64/mono-extras-1.2.6-4.1mdv2008.1.x86_64.rpm 324d7824f09943da2782d8e9882556a2 2008.1/x86_64/mono-ibm-data-db2-1.2.6-4.1mdv2008.1.x86_64.rpm 178b5f1897be0b1a8345f6f789c5d114 2008.1/x86_64/mono-jscript-1.2.6-4.1mdv2008.1.x86_64.rpm 24bcfc417441e037bb3699c15f6138d0 2008.1/x86_64/mono-locale-extras-1.2.6-4.1mdv2008.1.x86_64.rpm 78856fb36cc4ba34f2f1a5866f4d8286 2008.1/x86_64/mono-nunit-1.2.6-4.1mdv2008.1.x86_64.rpm a0565351873bddd9d211a98d1467f055 2008.1/x86_64/mono-web-1.2.6-4.1mdv2008.1.x86_64.rpm 00ae4d7f9547719004cd18269f656fa2 2008.1/x86_64/mono-winforms-1.2.6-4.1mdv2008.1.x86_64.rpm ec2b756483755c770a038a89fa2b4558 2008.1/SRPMS/mono-1.2.6-4.1mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFI5ohPmqjQ0CJFipgRAjYIAKCzXMe3gTau6/loKPvYMIe5OL93WACg7uz+ eS11qH2o6fIDbh/ulAFmrpg= =McWr -----END PGP SIGNATURE-----