Bug 1202869 (CVE-2015-2318, CVE-2015-2319, CVE-2015-2320)

Summary: CVE-2015-2318 CVE-2015-2319 CVE-2015-2320 mono: TLS implementation vulnerabilities
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: chkr, claudiorodrigo, itamar, lxtnow, moceap, moez.roy, paul
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Mono 3.12.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-20 10:50:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1089426, 1220138    
Bug Blocks:    

Description Martin Prpič 2015-03-17 15:19:28 UTC 
Three flaws were discovered in Mono's TLS implementation:

A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on our TLS stack, we have discovered two further issues which we have fixed - SSLv2 support, and vulnerability to FREAK. These vulnerabilities affect basically every Mono version ever released.

This is fixed in Mono version 3.12.1:

http://download.mono-project.com/sources/mono/mono-3.12.1.tar.bz2

Upstream patches:

https://github.com/mono/mono/commit/1509226c41d74194c146deb173e752b8d3cdeec4
https://github.com/mono/mono/commit/9c38772f094168d8bfd5bc73bf8925cd04faad10
https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b

Additional Information:

http://seclists.org/oss-sec/2015/q1/772
Comment 1 Claudio Rodrigo Pereyra DIaz 2015-03-17 18:09:54 UTC 
I have a copr repo with 3.12.1 for F20 and F21 {i686,x86_64}
F22 a and rawhide I have some problem compiling the same package.

Copr https://copr.fedoraproject.org/coprs/elsupergomez/mono/
Comment 2 Martin Prpič 2015-03-18 16:06:31 UTC 
MITRE assigned CVEs for these flaws in http://seclists.org/oss-sec/2015/q1/869:

Use CVE-2015-2318 for the https://www.smacktls.com SKIP-TLS issue in Mono.

Use CVE-2015-2319 for the https://www.smacktls.com FREAK issue in Mono.

Use CVE-2015-2320 for b371da6b2d68b4cdd0f21d6342af6c42794f998b.