Gerfried Fuchs uploaded new packages for mono which fixed the following security problems: CVE-CVE-2008-3422, Debian BTS #494406 Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net class libraries in Mono 2.0 and earlier allow remote attackers to inject arbitrary web script or HTML via crafted attributes related to * HtmlControl.cs (PreProcessRelativeReference), * HtmlForm.cs (RenderAttributes), * HtmlInputButton (RenderAttributes), * HtmlInputRadioButton (RenderAttributes), and * HtmlSelect (RenderChildren). CVE-CVE-2008-3906, Debian BTS #498894 CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the query string. For the etch-backports distribution the problems have been fixed in version 1.9.1+dfsg-4~bpo40+1. For the lenny and sid distribution the problems have been fixed in version 1.9.1+dfsg-4. Upgrade instructions -------------------- If you don't use pinning (see [1]) you have to update the packages manually via "apt-get -t etch-backports install <packagelist>" with the packagelist of your installed packages affected by this update. [1] <http://backports.org/dokuwiki/doku.php?id=instructions> We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically: Package: * Pin: release a=etch-backports Pin-Priority: 200
Attachment:
signature.asc
Description: Digital signature