retitle 608288 mono: CVE-2010-4254 and CVE-2010-4225 thanks On Wed, Dec 29, 2010 at 06:32:37PM +0100, Giuseppe Iuculano wrote: > Package: moon > Severity: serious > Tags: security > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > the following CVE (Common Vulnerabilities & Exposures) id was > published for moon. > > CVE-2010-4254[0]: > | Mono, when Moonlight before 2.3.0.1 or 2.99.x before 2.99.0.10 is > | used, does not properly validate arguments to generic methods, which > | allows remote attackers to bypass generic constraints, and possibly > | execute arbitrary code, via a crafted method call.
http://www.mono-project.com/Vulnerabilities lists the following patches: https://github.com/mono/mono/commit/4905ef1130feb26c3150b28b97e4a96752e0d399 https://github.com/mono/mono/commit/65292a69c837b8a5f7a392d34db63de592153358 https://github.com/mono/mono/commit/cf1ec146f7c6acdc6697032b3aaafc68ffacdcac Also, a new issue was announced on the same page: XSP/mod_mono source code disclosure (CVE-2010-4225) http://www.mono-project.com/Release_Notes_Mono_2.8.2 I don't have a reference to the patch, but it can likely be extracted. Please prepare a 2.6.7-5 upload with the security fixes and ask release managers for an unblock. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
