Gentoo has issued an advisory on May 18: http://www.gentoo.org/security/en/glsa/glsa-201405-16.xml Patched package uploaded for Mageia 3. Advisory: ======================== Updated mono packages fix security vulnerability: Mono 2.10.9 does not properly randomize hash functions for form posts to protect against hash collision attacks. A remote attacker could send specially crafted parameters, possibly resulting in a Denial of Service condition (CVE-2012-3543). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3543 http://www.gentoo.org/security/en/glsa/glsa-201405-16.xml ======================== Updated packages in core/updates_testing: ======================== mono-2.10.9-4.1.mga3 mono-doc-2.10.9-4.1.mga3 libmono0-2.10.9-4.1.mga3 libmono2.0_1-2.10.9-4.1.mga3 mono-data-sqlite-2.10.9-4.1.mga3 libmono-devel-2.10.9-4.1.mga3 mono-winfxcore-2.10.9-4.1.mga3 mono-web-2.10.9-4.1.mga3 mono-data-oracle-2.10.9-4.1.mga3 mono-data-2.10.9-4.1.mga3 mono-extras-2.10.9-4.1.mga3 mono-ibm-data-db2-2.10.9-4.1.mga3 mono-winforms-2.10.9-4.1.mga3 mono-locale-extras-2.10.9-4.1.mga3 mono-data-postgresql-2.10.9-4.1.mga3 mono-nunit-2.10.9-4.1.mga3 monodoc-core-2.10.9-4.1.mga3 mono-wcf-2.10.9-4.1.mga3 from mono-2.10.9-4.1.mga3.src.rpm Reproducible: Steps to Reproduce:
Is there a PoC, or should I just test apps that use mono? Carolyn
CC: (none) => cmrisolde
I'm not aware of a PoC.
Test with something from the list from.. $ urpmq --whatrequires mono Banshee media player is a good one
Whiteboard: (none) => has_procedure
In VirtualBox, M3, KDE, 32-bit Package(s) under test: mono banshee ( mono installs with banshee install ) default install of mono & banshee [root@localhost wilcal]# urpmi mono Package mono-2.10.9-4.mga3.i586 is already installed [root@localhost wilcal]# urpmi banshee Package banshee-2.6.0-3.mga3.i586 is already installed I can play an mp3 file with banshee. install mono from updates_testing [root@localhost wilcal]# urpmi mono Package mono-2.10.9-4.1.mga3.i586 is already installed I can play an mp3 file with banshee. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M3, KDE, 64-bit Package(s) under test: mono banshee ( mono installs with banshee install ) default install of mono & banshee [root@localhost wilcal]# urpmi mono Package mono-2.10.9-4.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi banshee Package banshee-2.6.0-3.mga3.x86_64 is already installed I can play an mp3 file with banshee. install mono from updates_testing [root@localhost wilcal]# urpmi mono Package mono-2.10.9-4.1.mga3.x86_64 is already installed I can play an mp3 file with banshee. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
For me this update works fine. Testing complete for mga3 32-bit & 64-bit Is this enough to Validate this update?
(In reply to William Kenney from comment #6) > For me this update works fine. > Testing complete for mga3 32-bit & 64-bit > Is this enough to Validate this update? I believe so.
Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure => has_procedure MGA3-32-OK MGA3-64-OKCC: (none) => sysadmin-bugs
Advisory uploaded. Update pushed: http://advisories.mageia.org/MGASA-2014-0244.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: has_procedure MGA3-32-OK MGA3-64-OK => has_procedure MGA3-32-OK MGA3-64-OK advisory