[Backports-security-announce] Security Update for mono

Gerfried Fuchs uploaded new packages for mono which fixed the following
security problems:

CVE-CVE-2008-3422, Debian BTS #494406

Multiple cross-site scripting (XSS) vulnerabilities in the ASP.net
class libraries in Mono 2.0 and earlier allow remote attackers to
inject arbitrary web script or HTML via crafted attributes related to

• HtmlControl.cs (PreProcessRelativeReference),
• HtmlForm.cs (RenderAttributes),
• HtmlInputButton (RenderAttributes),
• HtmlInputRadioButton (RenderAttributes), and
• HtmlSelect (RenderChildren).

CVE-CVE-2008-3906, Debian BTS #498894

CRLF injection vulnerability in Sys.Web in Mono 2.0 and earlier allows
remote attackers to inject arbitrary HTTP headers and conduct HTTP
response splitting attacks via CRLF sequences in the query string.

For the etch-backports distribution the problems have been fixed in
version 1.9.1+dfsg-4~bpo40+1.

For the lenny and sid distribution the problems have been fixed in
version 1.9.1+dfsg-4.

Upgrade instructions

If you don't use pinning (see [1]) you have to update the packages
manually via "apt-get -t etch-backports install <packagelist>" with the
packagelist of your installed packages affected by this update.
[1] <http://backports.org/dokuwiki/doku.php?id=instructions&gt;

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:

Package: *
Pin: release a=etch-backports
Pin-Priority: 200