Bug 1202869 (CVE-2015-2318, CVE-2015-2319, CVE-2015-2320) - CVE-2015-2318 CVE-2015-2319 CVE-2015-2320 mono: TLS implementation vulnerabilities
Summary: CVE-2015-2318 CVE-2015-2319 CVE-2015-2320 mono: TLS implementation vulnerabil...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-2318, CVE-2015-2319, CVE-2015-2320
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1089426 1220138
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-03-17 15:19 UTC by Martin Prpič
Modified: 2021-10-20 10:50 UTC (History)
7 users (show)

Fixed In Version: Mono 3.12.1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-20 10:50:54 UTC
Embargoed:


Attachments (Terms of Use)

Description Martin Prpič 2015-03-17 15:19:28 UTC
Three flaws were discovered in Mono's TLS implementation:

A TLS impersonation attack was discovered in Mono's TLS stack by researchers at Inria. During checks on our TLS stack, we have discovered two further issues which we have fixed - SSLv2 support, and vulnerability to FREAK. These vulnerabilities affect basically every Mono version ever released.

This is fixed in Mono version 3.12.1:

http://download.mono-project.com/sources/mono/mono-3.12.1.tar.bz2

Upstream patches:

https://github.com/mono/mono/commit/1509226c41d74194c146deb173e752b8d3cdeec4
https://github.com/mono/mono/commit/9c38772f094168d8bfd5bc73bf8925cd04faad10
https://github.com/mono/mono/commit/b371da6b2d68b4cdd0f21d6342af6c42794f998b

Additional Information:

http://seclists.org/oss-sec/2015/q1/772

Comment 1 Claudio Rodrigo Pereyra DIaz 2015-03-17 18:09:54 UTC
I have a copr repo with 3.12.1 for F20 and F21 {i686,x86_64}
F22 a and rawhide I have some problem compiling the same package.

Copr https://copr.fedoraproject.org/coprs/elsupergomez/mono/

Comment 2 Martin Prpič 2015-03-18 16:06:31 UTC
MITRE assigned CVEs for these flaws in http://seclists.org/oss-sec/2015/q1/869:

Use CVE-2015-2318 for the https://www.smacktls.com SKIP-TLS issue in Mono.

Use CVE-2015-2319 for the https://www.smacktls.com FREAK issue in Mono.

Use CVE-2015-2320 for b371da6b2d68b4cdd0f21d6342af6c42794f998b.


Note You need to log in before you can comment on or make changes to this bug.