Ubuntu

USN-2547-1: Mono vulnerabilities

Leave a comment

Ubuntu Security Notice USN-2547-1

24th March, 2015

mono vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Several security issues were fixed in Mono.

Software description

  • mono
    – Mono is a platform for running and developing applications

Details

It was discovered that the Mono TLS implementation was vulnerable to the
SKIP-TLS vulnerability. A remote attacker could possibly use this issue
to perform client impersonation attacks. (CVE-2015-2318)

It was discovered that the Mono TLS implementation was vulnerable to the
FREAK vulnerability. A remote attacker or a man in the middle could
possibly use this issue to force the use of insecure ciphersuites.
(CVE-2015-2319)

It was discovered that the Mono TLS implementation still supported a
fallback to SSLv2. This update removes the functionality as use of SSLv2 is
known to be insecure. (CVE-2015-2320)

It was discovered that Mono incorrectly handled memory in certain
circumstances. A remote attacker could possibly use this issue to cause
Mono to crash, resulting in a denial of service, or to obtain sensitive
information. This issue only applied to Ubuntu 12.04 LTS. (CVE-2011-0992)

It was discovered that Mono incorrectly handled hash collisions. A remote
attacker could possibly use this issue to cause Mono to crash, resulting in
a denial of service. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2012-3543)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
libmono-2.0-1

3.2.8+dfsg-4ubuntu2.1
mono-runtime

3.2.8+dfsg-4ubuntu2.1
Ubuntu 14.04 LTS:
libmono-2.0-1

3.2.8+dfsg-4ubuntu1.1
mono-runtime

3.2.8+dfsg-4ubuntu1.1
Ubuntu 12.04 LTS:
libmono-2.0-1

2.10.8.1-1ubuntu2.3
mono-runtime

2.10.8.1-1ubuntu2.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Mono applications to
make all the necessary changes.

References

CVE-2011-0992,

CVE-2012-3543,

CVE-2015-2318,

CVE-2015-2319,

CVE-2015-2320

Leave a Reply