GoogleOSV:DLA-176-1mono - security update
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Three issues with Mono’s TLS stack are addressed.
- CVE-2015-2318
Mono’s implementation of the SSL/TLS stack failed to check
the order of the handshake messages. Which would allow
various attacks on the protocol to succeed. (“SKIP-TLS”) - CVE-2015-2319
Mono’s implementation of SSL/TLS also contained support for
the weak EXPORT cyphers and was susceptible to the FREAK attack. - CVE-2015-2320
Mono contained SSLv2 fallback code, which is no longer needed
and can be considered insecure.
For Debian 6 Squeeze, these issues have been fixed in mono version 2.6.7-5.1+deb6u1
References
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P