Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Apr 2011 20:06:51 +0200
From: Marcus Meissner <>
To: OSS Security List <>
Subject: Moonlight release 2.4.1 with security fixes


The Novell Mono developers are just releasing Moonlight (the Mono
Silverlight equivalent) security updates for several critical issues.

The first 3 issues were reported to the Mono team by Jeroen Frijters

The fixed versions is 2.4.1 for the 2.4 branch and 3.99.3 for the 3.99
(Moonlight 4 preview) branch.

The main Novell tracker bug for this update:

CVE-2011-0989: modification of read-only values via

The modification of read-only variables (e.g. from outside the sandbox)
could be used for breaking out of the moonlight sandboxing.

CVE-2011-0990: buffer overflow due to race condition in in Array.FastCopy

Similar to the above, an array element could be changed to a privileged
read-only element which would then be overwritten.
(So not a lowlevel buffer overflow, but a sandboxing violation/break out.)

CVE-2011-0991: use-after-free due to DynamicMethod resurrection

Also fixed in this update:
CVE-2011-0992: information leak due to improper thread finalization

Ciao, Marcus

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.