[Mono-dev] Redhat CVE-2010-1459

Sebastien Pouliot sebastien.pouliot at gmail.com
Mon May 31 13:18:06 EDT 2010

Hello Paul,

On Mon, 2010-05-31 at 17:04 +0100, Paul wrote:
> Hi,
> As one of the packagers for mono in Fedora, I've been alerted to a
> security issue (detailed at
> https://www.redhat.com/security/data/cve/CVE-2010-1459.html ). This
> problem doesn't affect 2.6.4 but does for older versions.

Yes, 2.6.4 has the fix built-in (i.e. in tarballs). However all SVN
branches for supported versions of Mono include the fix for this

> The EnableViewStateMac property in the default config of ASP.NET is set
> to FALSE which can give attackers cross-site attack capabilities.
> Is there a problem setting this value to TRUE as a quick fix or is there
> a better solution?

You should be able to rebuild from the HEAD (of the branches) your
packages depends on or you can cherry pick the commits. Note that the
patch is not 100% identical between all branches.


p.s. you can also watch http://www.mono-project.com/Vulnerabilities to
see new vulnerabilities "as soon as possible" instead of waiting to be
notified by RH (or anyone else).

More information about the Mono-devel-list mailing list