Debian Security Advisory

DLA-176-1 mono -- LTS security update

Date Reported:
19 Mar 2015
Affected Packages:
Security database references:
In the Debian bugtracking system: Bug 780751.
In Mitre's CVE dictionary: CVE-2015-2318, CVE-2015-2319, CVE-2015-2320.
More information:

Three issues with Mono's TLS stack are addressed.

  • CVE-2015-2318

    Mono's implementation of the SSL/TLS stack failed to check the order of the handshake messages. Which would allow various attacks on the protocol to succeed. ("SKIP-TLS")

  • CVE-2015-2319

    Mono's implementation of SSL/TLS also contained support for the weak EXPORT cyphers and was susceptible to the FREAK attack.

  • CVE-2015-2320

    Mono contained SSLv2 fallback code, which is no longer needed and can be considered insecure.

For Debian 6 Squeeze, these issues have been fixed in mono version 2.6.7-5.1+deb6u1