https://bugzilla.novell.com/show_bug.cgi?id=647493
https://bugzilla.novell.com/show_bug.cgi?id=647493#c1 Sebastien Pouliot <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Group|novellonly | CC Accessible|1 |0 CC| |[email protected] Resolution| |INVALID Reporter|1 |0 Accessible| | --- Comment #1 from Sebastien Pouliot <[email protected]> 2010-10-18 20:30:10 UTC --- Please check your facts (and wires ;-) 1. I'm 99% certain that the issue was found when Mono 1.2.5 was current and 1.2.5.1 was released with a fix (sadly there's no release notes but 1.2.5.2 was for another vulnerability). I'd be happy if you could prove me wrong and no the CVE web page is not a proof ;-) but a typo. 2. This is not the first time that the solution was explained (to debian maintainers) but here it is again: the internal, inner (non-user accessible) Montgomery class is not used by BigInteger (i.e. you can remove it and compile mono, it's DEAD code) nor anywhere else. This is why the above patch is unneeded (i.e. it was fixed by using another implementation for Pow). So: 1. use upstream mono 2. avoid useless, untested, patches - because, you know, they can randomly bite you... Now I'll remove the dead code because I never had time to fix the bug which made me switch away from (the faster) Montgomery algorithm - and it was unrelated to the vulnerability. Hopefully this will remove any potential confusion (and useless, untested patches ;-). If you find any security issue please read http://en.wikipedia.org/wiki/Responsible_disclosure and use the contact form on the first link you mentioned. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the QA contact for the bug. _______________________________________________ mono-bugs maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-bugs
