[ MDVSA-2009:268 ] mono

[dude67]

_______________________________________________________________________

Package : mono
Date : October 12, 2009
Affected: 2008.1, 2009.0, Enterprise Server 5.0
_______________________________________________________________________

Problem Description:

Multiple vulnerabilities has been found and corrected in mono:

Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net
class libraries in Mono 2.0 and earlier allow remote attackers to
inject arbitrary web script or HTML via crafted attributes related to
(1) HtmlControl.cs (PreProcessRelativeReference), (2) HtmlForm.cs
(RenderAttributes), (3) HtmlInputButton (RenderAttributes),
(4) HtmlInputRadioButton (RenderAttributes), and (5) HtmlSelect
(RenderChildren) (CVE-2008-3422).

The XML HMAC signature system did not correctly check certain
lengths. If an attacker sent a truncated HMAC, it could bypass
authentication, leading to potential privilege escalation
(CVE-2009-0217).

This update fixes these vulnerabilities.
_______________________________________________________________________

References:

http://cve.mitre.org/cgi-bin/cvename.cg ... -2008-3422
http://cve.mitre.org/cgi-bin/cvename.cg ... -2009-0217
_______________________________________________________________________