[USN-2547-1] Mono vulnerabilities

Marc Deslauriers marc.deslauriers at canonical.com
Tue Mar 24 13:20:21 UTC 2015 

==========================================================================
Ubuntu Security Notice USN-2547-1
March 24, 2015

mono vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS

Summary:

Several security issues were fixed in Mono.

Software Description:
- mono: Mono is a platform for running and developing applications

Details:

It was discovered that the Mono TLS implementation was vulnerable to the
SKIP-TLS vulnerability. A remote attacker could possibly use this issue
to perform client impersonation attacks. (CVE-2015-2318)

It was discovered that the Mono TLS implementation was vulnerable to the
FREAK vulnerability. A remote attacker or a man in the middle could
possibly use this issue to force the use of insecure ciphersuites.
(CVE-2015-2319)

It was discovered that the Mono TLS implementation still supported a
fallback to SSLv2. This update removes the functionality as use of SSLv2 is
known to be insecure. (CVE-2015-2320)

It was discovered that Mono incorrectly handled memory in certain
circumstances. A remote attacker could possibly use this issue to cause
Mono to crash, resulting in a denial of service, or to obtain sensitive
information. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-0992)

It was discovered that Mono incorrectly handled hash collisions. A remote
attacker could possibly use this issue to cause Mono to crash, resulting in
a denial of service. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2012-3543)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  libmono-2.0-1                   3.2.8+dfsg-4ubuntu2.1
  mono-runtime                    3.2.8+dfsg-4ubuntu2.1

Ubuntu 14.04 LTS:
  libmono-2.0-1                   3.2.8+dfsg-4ubuntu1.1
  mono-runtime                    3.2.8+dfsg-4ubuntu1.1

Ubuntu 12.04 LTS:
  libmono-2.0-1                   2.10.8.1-1ubuntu2.3
  mono-runtime                    2.10.8.1-1ubuntu2.3

After a standard system update you need to restart Mono applications to
make all the necessary changes.

References:
  http://www.ubuntu.com/usn/usn-2547-1
  CVE-2011-0992, CVE-2012-3543, CVE-2015-2318, CVE-2015-2319,
  CVE-2015-2320

Package Information:
  https://launchpad.net/ubuntu/+source/mono/3.2.8+dfsg-4ubuntu2.1
  https://launchpad.net/ubuntu/+source/mono/3.2.8+dfsg-4ubuntu1.1
  https://launchpad.net/ubuntu/+source/mono/2.10.8.1-1ubuntu2.3


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20150324/cb90b777/attachment.sig>

More information about the ubuntu-security-announce mailing list