Red Hat Bugzilla – Bug 206510
CVE-2006-2658: xsp directory traversal vulnerability
Last modified: 2007-11-30 17:11:43 EST
xsp/mod_mono has reportedly a directory traversal vulnerability, see
Information about this is pretty scarce, but it should be investigated whether
this applies to the FE xsp/mod_mono packages in addition to SuSE products.
I've looked at this report and by the looks of it, yes the FE xsp/mod_mono will
come under the same umberella (built from the same sources). I've asked on the
mono-developers list if there is a patch available and if there is, I shall
apply it quickly.
Could you please advise what to do in the meantime? Should I put an advisory out
on the FE list alerting people to the issue?
I wouldn't go so far as to send an advisory. This is currently classified as a
low-risk vulnerability so I'd suggest simply patching it ASAP.
You may be able to extract the fix from the SUSE package if you can find it.
Just been advised that it only relates to the 1.1.14 version of mod_mono not
1.1.17 (which is packaged for both FE5 and rawhide)
Closing the bug. Thanks for the advice :-)