Univention Bugzilla – Bug 48097
mono: Multiple issues (4.2)
Last modified: 2018-11-07 15:04:28 CET
New Debian mono 3.2.8+dfsg-10+deb8u1 fixes: This update addresses the following issue: * CVE-2009-0689 array index error in dtoa implementation of many products (CVE-2009-0689)
--- mirror/ftp/4.2/unmaintained/4.2-0/source/mono_3.2.8+dfsg-10.dsc +++ apt/ucs_4.2-0-errata4.2-5/source/mono_3.2.8+dfsg-10+deb8u1.dsc @@ -1,3 +1,16 @@ +3.2.8+dfsg-10+deb8u1 [Thu, 01 Nov 2018 17:03:59 +0100] Markus Koschany <apo@debian.org>: + + * Non-maintainer upload by the LTS team. + * Fix CVE-2009-0689: Mono’s string-to-double parser may crash, on specially + crafted input. This could theoretically lead to arbitrary code execution. + * CVE-2018-1002208: Mono embeds the sharplibzip library which is vulnerable + to directory traversal, allowing attackers to write to arbitrary files via a + ../ (dot dot slash) in a Zip archive entry that is mishandled during + extraction. This vulnerability is also known as 'Zip-Slip'. + The Mono developers intend to remove sharplibzip from the sources entirely. + It is recommended to fetch the latest version by using the nuget package + manager instead. + 3.2.8+dfsg-10 [Thu, 19 Mar 2015 10:30:24 +0000] Jo Shields <jo.shields@xamarin.com>: * [037e3b5] Mono's implementation of the SSL/TLS stack failed to check <http://10.200.17.11/4.2-5/#6619244166901362470>
OK: yaml OK: announce_errata OK: patch OK: piuparts [4.2-5] 06282e309c Bug #48097: mono 3.2.8+dfsg-10+deb8u1 doc/errata/staging/mono.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) [4.2-5] 4b534c0f19 Bug #47787: EOL UCS-4.2-4 2018-10-31 doc/errata/staging/mono.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) [4.2-5] 004f2ac6d1 Bug #48097: mono 3.2.8+dfsg-10+deb8u1 doc/errata/staging/mono.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+)
<http://errata.software-univention.de/ucs/4.2/542.html>