USN-826-1: Mono vulnerabilities

26 August 2009

mono vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

  • Ubuntu 9.04
  • Ubuntu 8.10
  • Ubuntu 8.04 LTS

Software Description

  • mono

Details

It was discovered that the XML HMAC signature system did not correctly check certain lengths. If an attacker sent a truncated HMAC, it could bypass authentication, leading to potential privilege escalation. (CVE-2009-0217)

It was discovered that Mono did not properly escape certain attributes in the ASP.net class libraries which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. This issue only affected Ubuntu 8.04 LTS. (CVE-2008-3422)

It was discovered that Mono did not properly filter CRLF injections in the query string. If a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, steal confidential data (such as passwords), or perform cross-site request forgeries. This issue only affected Ubuntu 8.04 LTS. (CVE-2008-3906)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 9.04
libmono-security1.0-cil - 2.0.1-4ubuntu0.1
libmono-security2.0-cil - 2.0.1-4ubuntu0.1
libmono-system-web1.0-cil - 2.0.1-4ubuntu0.1
libmono-system-web2.0-cil - 2.0.1-4ubuntu0.1
Ubuntu 8.10
libmono-security1.0-cil - 1.9.1+dfsg-4ubuntu2.1
libmono-security2.0-cil - 1.9.1+dfsg-4ubuntu2.1
libmono-system-web1.0-cil - 1.9.1+dfsg-4ubuntu2.1
libmono-system-web2.0-cil - 1.9.1+dfsg-4ubuntu2.1
Ubuntu 8.04 LTS
libmono-security1.0-cil - 1.2.6+dfsg-6ubuntu3.1
libmono-security2.0-cil - 1.2.6+dfsg-6ubuntu3.1
libmono-system-web1.0-cil - 1.2.6+dfsg-6ubuntu3.1
libmono-system-web2.0-cil - 1.2.6+dfsg-6ubuntu3.1

To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system upgrade is sufficient to effect the necessary changes.

References