Debian has issued an advisory on July 12: http://lwn.net/Alerts/506684/ Mageia 2 is not affected as it was fixed upstream in 2.10.9. Debian's bugzilla has a link to the upstream fix: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681095
CC: (none) => pterjan
CC: (none) => dmorganec
Ubuntu has issued an advisory for this on July 25: http://www.ubuntu.com/usn/usn-1517-1/
(In reply to comment #0) > Debian has issued an advisory on July 12: > http://lwn.net/Alerts/506684/ > > Mageia 2 is not affected as it was fixed upstream in 2.10.9. > > Debian's bugzilla has a link to the upstream fix: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=681095 Patch applied and submitted in mono-2.10.1-1.1.mga1 that is now built in core/updates_testing of Mageia 1. Please test. Regards, -- Shlomi Fish
CC: (none) => shlomif
Thanks Shlomi! Advisory: ======================== Updated mono packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message (CVE-2012-3382). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382 http://www.debian.org/security/2012/dsa-2512 ======================== Updated packages in core/updates_testing: ======================== mono-2.10.1-1.1.mga1 mono-doc-2.10.1-1.1.mga1 libmono0-2.10.1-1.1.mga1 libmono2.0_1-2.10.1-1.1.mga1 mono-data-sqlite-2.10.1-1.1.mga1 libmono-devel-2.10.1-1.1.mga1 mono-winfxcore-2.10.1-1.1.mga1 mono-web-2.10.1-1.1.mga1 mono-data-oracle-2.10.1-1.1.mga1 mono-data-2.10.1-1.1.mga1 mono-extras-2.10.1-1.1.mga1 mono-ibm-data-db2-2.10.1-1.1.mga1 mono-winforms-2.10.1-1.1.mga1 mono-locale-extras-2.10.1-1.1.mga1 mono-data-postgresql-2.10.1-1.1.mga1 mono-nunit-2.10.1-1.1.mga1 monodoc-core-2.10.1-1.1.mga1 mono-wcf-2.10.1-1.1.mga1 from mono-2.10.1-1.1.mga1.src.rpm
Assignee: bugsquad => qa-bugs
Trying to test this using the examples at http://www.mono-project.com/Consuming_a_WebService Looks like the documentation is out of date. I replaced http://api.google.com/GoogleSearch.wsdl with http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl but compiling the sample code, spellchecker.cs, fails with $ mcs /r:GoogleSearchService.dll spellchecker.cs spellchecker.cs(11,17): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' spellchecker.cs(11,52): error CS0012: The type `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an assembly that is not referenced. Consider adding a reference to assembly `System.Web.Services, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' Compilation failed: 2 error(s), 0 warnings Also I don't see anything on the google accounts page about getting a key. Any link to a more suitable example, to use for testing?
CC: (none) => davidwhodgins
Whiteboard: (none) => feedback
Hi David, (In reply to comment #4) > Trying to test this using the examples at > http://www.mono-project.com/Consuming_a_WebService > > Looks like the documentation is out of date. > > I replaced http://api.google.com/GoogleSearch.wsdl with > http://code.creativecommons.org/svnroot/stats/GoogleSearch.wsdl > but compiling the sample code, spellchecker.cs, fails with > > $ mcs /r:GoogleSearchService.dll spellchecker.cs > spellchecker.cs(11,17): error CS0012: The type > `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an > assembly that is not referenced. Consider adding a reference to assembly > `System.Web.Services, Version=2.0.0.0, Culture=neutral, > PublicKeyToken=b03f5f7f11d50a3a' > spellchecker.cs(11,52): error CS0012: The type > `System.Web.Services.Protocols.SoapHttpClientProtocol' is defined in an > assembly that is not referenced. Consider adding a reference to assembly > `System.Web.Services, Version=2.0.0.0, Culture=neutral, > PublicKeyToken=b03f5f7f11d50a3a' > Compilation failed: 2 error(s), 0 warnings > > Also I don't see anything on the google accounts page about getting a key. > > Any link to a more suitable example, to use for testing? I'm not a Mono or .NET expert either, but you can try testing it by running Mono-based applications such as Banshee, Tomboy, or F-Spot, and seeing if they are mostly OK.
CC: (none) => stormiWhiteboard: feedback => (none)
Mandriva has issued an advisory for this today (August 20): http://www.mandriva.com/en/support/security/advisories/?dis=2011&name=MDVSA-2012:140
Testing complete on Mageia 1 i586. Testing using f-spot and banshee with last-fm and the Internet Archive. I'll test Mageia 1 x86-64 shortly.
Whiteboard: (none) => MGA1-32-OK
Testing complete on Mageia 1 x86-64. Could someone from the sysadmin team push the srpm mono-2.10.1-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated mono packages fix security vulnerability: Cross-site scripting (XSS) vulnerability in the ProcessRequest function in mcs/class/System.Web/System.Web/HttpForbiddenHandler.cs in Mono 2.10.8 and earlier allows remote attackers to inject arbitrary web script or HTML via a file with a crafted name and a forbidden extension, which is not properly handled in an error message (CVE-2012-3382). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3382 http://www.debian.org/security/2012/dsa-2512 https://bugs.mageia.org/show_bug.cgi?id=6789
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA1-32-OK => MGA1-32-OK MGA1-64-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0232
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED