Debian Security Advisory
DLA-176-1 mono -- LTS security update
- Date Reported:
- 19 Mar 2015
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 780751.
In Mitre's CVE dictionary: CVE-2015-2318, CVE-2015-2319, CVE-2015-2320.
- More information:
Three issues with Mono's TLS stack are addressed.
Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS")
Mono's implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the FREAK attack.
Mono contained SSLv2 fallback code, which is no longer needed and can be considered insecure.
For Debian 6
Squeeze, these issues have been fixed in mono version 2.6.7-5.1+deb6u1