English | Deutsch | Español | Português
 UserID:
 Passwd:
new user
 About:   Dedicated  | Advanced  | Standard  | Recurring  | No Risk  | Desktop  | Basic  | Single  | Security Seal  | FAQ
  Price/Feature Summary  | Order  | New Vulnerabilities  | Confidentiality  | Vulnerability Search
 Vulnerability   
Search   
    Search 150599 CVE descriptions
and 73533 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.891564
Category:Debian Local Security Checks
Title:Debian LTS Advisory ([SECURITY] [DLA 1564-1] mono security update)
Summary:It was found that Mono's string-to-double parser may crash, on;specially crafted input. This could lead to arbitrary code execution.;;CVE-2018-1002208: Mono embeds the sharplibzip library which is;vulnerable to directory traversal, allowing attackers to write to;arbitrary files via a ../ (dot dot slash) in a Zip archive entry that;is mishandled during extraction. This vulnerability is also known as;'Zip-Slip'.;;The Mono developers intend to entirely remove sharplibzip from the;sources and do not plan to fix this issue. It is therefore recommended;to fetch the latest sharplibzip version by using the nuget package;manager instead. The embedded version should not be used with;untrusted zip files.
Description:Summary:
It was found that Mono's string-to-double parser may crash, on
specially crafted input. This could lead to arbitrary code execution.

CVE-2018-1002208: Mono embeds the sharplibzip library which is
vulnerable to directory traversal, allowing attackers to write to
arbitrary files via a ../ (dot dot slash) in a Zip archive entry that
is mishandled during extraction. This vulnerability is also known as
'Zip-Slip'.

The Mono developers intend to entirely remove sharplibzip from the
sources and do not plan to fix this issue. It is therefore recommended
to fetch the latest sharplibzip version by using the nuget package
manager instead. The embedded version should not be used with
untrusted zip files.

Affected Software/OS:
mono on Debian Linux

Solution:
For Debian 8 'Jessie', this problem has been fixed in version
3.2.8+dfsg-10+deb8u1.

We recommend that you upgrade your mono packages.

CVSS Score:
6.8

CVSS Vector:
AV:N/AC:M/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2009-0689
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
http://lists.apple.com/archives/security-announce/2010/Jun/msg00003.html
BugTraq ID: 35510
http://www.securityfocus.com/bid/35510
Bugtraq: 20091120 K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) (Google Search)
http://www.securityfocus.com/archive/1/507977/100/0/threaded
Bugtraq: 20091120 SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) (Google Search)
http://www.securityfocus.com/archive/1/507979/100/0/threaded
Bugtraq: 20091210 Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) (Google Search)
http://www.securityfocus.com/archive/1/508423/100/0/threaded
Bugtraq: 20091210 Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) (Google Search)
http://www.securityfocus.com/archive/1/508417/100/0/threaded
http://www.mandriva.com/security/advisories?name=MDVSA-2009:294
http://www.mandriva.com/security/advisories?name=MDVSA-2009:330
http://secunia.com/secunia_research/2009-35/
https://lists.debian.org/debian-lts-announce/2018/11/msg00001.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6528
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9541
http://www.redhat.com/support/errata/RHSA-2009-1601.html
http://www.redhat.com/support/errata/RHSA-2010-0153.html
http://www.redhat.com/support/errata/RHSA-2010-0154.html
RedHat Security Advisories: RHSA-2014:0311
http://rhn.redhat.com/errata/RHSA-2014-0311.html
RedHat Security Advisories: RHSA-2014:0312
http://rhn.redhat.com/errata/RHSA-2014-0312.html
http://securitytracker.com/id?1022478
http://secunia.com/advisories/37431
http://secunia.com/advisories/37682
http://secunia.com/advisories/37683
http://secunia.com/advisories/38066
http://secunia.com/advisories/38977
http://secunia.com/advisories/39001
http://securityreason.com/achievement_securityalert/63
http://securityreason.com/achievement_securityalert/69
http://securityreason.com/achievement_securityalert/72
http://securityreason.com/achievement_securityalert/73
http://securityreason.com/achievement_securityalert/71
http://securityreason.com/achievement_securityalert/76
http://securityreason.com/achievement_securityalert/75
http://securityreason.com/achievement_securityalert/77
http://securityreason.com/achievement_securityalert/78
http://securityreason.com/achievement_securityalert/81
http://sunsolve.sun.com/search/document.do?assetkey=1-26-272909-1
SuSE Security Announcement: SUSE-SR:2009:018 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
SuSE Security Announcement: SUSE-SR:2010:013 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
http://www.ubuntu.com/usn/USN-915-1
http://www.vupen.com/english/advisories/2009/3297
http://www.vupen.com/english/advisories/2009/3299
http://www.vupen.com/english/advisories/2009/3334
http://www.vupen.com/english/advisories/2010/0094
http://www.vupen.com/english/advisories/2010/0648
http://www.vupen.com/english/advisories/2010/0650
CopyrightCopyright (c) 2018 Greenbone Networks GmbH http://greenbone.net

This is only one of 73533 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.

New User Registration
Email:
UserID:
Passwd:
Please email me your monthly newsletters, informing the latest services, improvements & surveys.
Please email me a vulnerability test announcement whenever a new test is added.
   Privacy
Registered User Login
 
UserID:   
Passwd:  

 Forgot userid or passwd?
Email/Userid:




Home | About Us | Contact Us | Partner Programs | Developer APIs | Privacy | Mailing Lists | Abuse
Security Audits | Managed DNS | Network Monitoring | Site Analyzer | Internet Research Reports
Web Probe

© 1998-2019 E-Soft Inc. All rights reserved.