Bug 6789

Ubuntu has issued an advisory for this on July 25:
http://www.ubuntu.com/usn/usn-1517-1/

(In reply to comment #0)
> Debian has issued an advisory on July 12:
> http://lwn.net/Alerts/506684/
> 
> Mageia 2 is not affected as it was fixed upstream in 2.10.9.
> 
> Debian's bugzilla has a link to the upstream fix:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681095

Patch applied and submitted in mono-2.10.1-1.1.mga1 that is now built in core/updates_testing of Mageia 1. Please test.

Regards,

-- Shlomi Fish

CC: (none) => shlomif

Thanks Shlomi!

Advisory:
========================

Updated mono packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function
in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8
and earlier allows remote attackers to inject arbitrary web script or HTML
via a file with a crafted name and a forbidden extension, which is not
properly handled in an error message (CVE-2012-3382).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382
http://www.debian.org/security/2012/dsa-2512
========================

Updated packages in core/updates_testing:
========================
mono-2.10.1-1.1.mga1
mono-doc-2.10.1-1.1.mga1
libmono0-2.10.1-1.1.mga1
libmono2.0_1-2.10.1-1.1.mga1
mono-data-sqlite-2.10.1-1.1.mga1
libmono-devel-2.10.1-1.1.mga1
mono-winfxcore-2.10.1-1.1.mga1
mono-web-2.10.1-1.1.mga1
mono-data-oracle-2.10.1-1.1.mga1
mono-data-2.10.1-1.1.mga1
mono-extras-2.10.1-1.1.mga1
mono-ibm-data-db2-2.10.1-1.1.mga1
mono-winforms-2.10.1-1.1.mga1
mono-locale-extras-2.10.1-1.1.mga1
mono-data-postgresql-2.10.1-1.1.mga1
mono-nunit-2.10.1-1.1.mga1
monodoc-core-2.10.1-1.1.mga1
mono-wcf-2.10.1-1.1.mga1

from mono-2.10.1-1.1.mga1.src.rpm

Assignee: bugsquad => qa-bugs

Trying to test this using the examples at
http://www.mono-project.com/Consuming_a_WebService

Looks like the documentation is out of date.

I replaced http://api.google.com/GoogleSearch.wsdl with
http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl
but compiling the sample code, spellchecker.cs, fails with

$ mcs /r:GoogleSearchService.dll spellchecker.cs
spellchecker.cs(11,17): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
spellchecker.cs(11,52): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a'
Compilation failed: 2 error(s), 0 warnings

Also I don't see anything on the google accounts page about getting a key.

Any link to a more suitable example, to use for testing?

CC: (none) => davidwhodgins

Hi David,

(In reply to comment #4)
> Trying to test this using the examples at
> http://www.mono-project.com/Consuming_a_WebService
> 
> Looks like the documentation is out of date.
> 
> I replaced http://api.google.com/GoogleSearch.wsdl with
> http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl
> but compiling the sample code, spellchecker.cs, fails with
> 
> $ mcs /r:GoogleSearchService.dll spellchecker.cs
> spellchecker.cs(11,17): error CS0012: The type
> `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an
> assembly that is not referenced. Consider adding a reference to assembly
> `System.Web.Services, Version=2.0.0.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a'
> spellchecker.cs(11,52): error CS0012: The type
> `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an
> assembly that is not referenced. Consider adding a reference to assembly
> `System.Web.Services, Version=2.0.0.0, Culture=neutral,
> PublicKeyToken=b03f5f7f11d50a3a'
> Compilation failed: 2 error(s), 0 warnings
> 
> Also I don't see anything on the google accounts page about getting a key.
> 
> Any link to a more suitable example, to use for testing?

I'm not a Mono or .NET expert either, but you can try testing it by running Mono-based applications such as Banshee, Tomboy, or F-Spot, and seeing if they are mostly OK.

Mandriva has issued an advisory for this today (August 20):
http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:140

Testing complete on Mageia 1 i586.

Testing using f-spot and banshee with last-fm and the Internet Archive.

I'll test Mageia 1 x86-64 shortly.

Whiteboard: (none) => MGA1-32-OK

Testing complete on Mageia 1 x86-64.

Could someone from the sysadmin team push the srpm
mono-2.10.1-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated mono packages fix security vulnerability:

Cross-site scripting (XSS) vulnerability in the ProcessRequest function
in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8
and earlier allows remote attackers to inject arbitrary web script or HTML
via a file with a crafted name and a forbidden extension, which is not
properly handled in an error message (CVE-2012-3382).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382
http://www.debian.org/security/2012/dsa-2512

https://bugs.mageia.org/show_bug.cgi?id=6789

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0232

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED