Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-176-1 mono

Debian Security Advisory

DLA-176-1 mono -- LTS security update

Date Reported:

19 Mar 2015

Affected Packages:

mono

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 780751.
In Mitre's CVE dictionary: CVE-2015-2318, CVE-2015-2319, CVE-2015-2320.

More information:

Three issues with Mono's TLS stack are addressed.

• CVE-2015-2318

  Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS")

• CVE-2015-2319

  Mono's implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the FREAK attack.

• CVE-2015-2320

  Mono contained SSLv2 fallback code, which is no longer needed and can be considered insecure.

For Debian 6 Squeeze, these issues have been fixed in mono version 2.6.7-5.1+deb6u1