111116 2005-11-01 03:16 0000 net-misc/openvpn: format string and DoS vulnerabilities 2005-11-06 10:44:56 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.frsirt.com/bulletins/2510 B2 [glsa] P2 normal --- 111267 1 casta@xwing.info security@gentoo.org genbug@Chamillionaire.breakpoint.cc luckyduck@gentoo.org uberlord@gentoo.org warpzero@gentoo.org casta@xwing.info 2005-11-01 03:16:32 0000 Looking at this advisory : http://www.frsirt.com/bulletins/2510 OpenVPN <= 2.0.2 has 2 vulnerabilities. Please bump to 2.0.3 as quick as possible Regards koon@gentoo.org 2005-11-01 03:54:53 0000 Ccing rest of herd as luckyduck has been away for some time. Please bump to 2.0.3. uberlord@gentoo.org 2005-11-01 04:59:33 0000 Adding myself as I've been looking after openvpn due to a (now solved) baselayout-1.12.0_pre issue as luckyduck is away (for long time) and warpzero is no longer a dev (iirc) Koon, openvpn-2.0.3 isn't released yet and has no source tarball or any 2.0.3 download available from their site. koon@gentoo.org 2005-11-01 05:50:04 0000 They pulled the release, probably needs a small last-minute fix. genbug@Chamillionaire.breakpoint.cc 2005-11-01 12:53:14 0000 Are we talking abour 2.0.3 or 2.0.4 ? genbug@Chamillionaire.breakpoint.cc 2005-11-01 12:54:46 0000 Are we talking abour 2.0.3 or 2.0.4 ? casta@xwing.info 2005-11-01 13:02:57 0000 OK, 2.0.3 was released this morning then removed a few hours after... Now 2.0.4 is released with the correct fixes (see http://openvpn.net/changelog.html) So now bump is for 2.0.4 skipping 2.0.3 ;) uberlord@gentoo.org 2005-11-02 04:24:31 0000 2.0.4 is now in the tree koon@gentoo.org 2005-11-02 04:34:03 0000 Arches please test and mark 2.0.4 stable Target KEYWORDS="alpha amd64 ppc ppc-macos sparc x86" ticho@gentoo.org 2005-11-02 06:52:45 0000 x86 stable hansmi@gentoo.org 2005-11-02 10:10:37 0000 Stable on ppc. uberlord@gentoo.org 2005-11-02 10:26:21 0000 2.0.4 removed as to having the new init script 2.0.4-r1 added with old script - please mark this version stable 2.0.4-r2 has the new init script Sorry for any confusion/problems/whatever grobian@gentoo.org 2005-11-02 12:14:18 0000 2.0.4-r1 stable on ppc-macos gustavoz@gentoo.org 2005-11-03 06:05:50 0000 sparc stable. uberlord@gentoo.org 2005-11-03 10:08:03 0000 openvpn-2.0.5 just got released with fixes another serious issue I've just comitted it to the tree, fixing bug #111369, marked ~ARCH The 2.0.4 ebuilds are still there, but are un-useable on Linux. ChangeLog snippet * Fixed bug in Linux get_default_gateway function introduced in 2.0.4, which would cause redirect-gateway on Linux clients to fail. * Restored easy-rsa/2.0 tree (backported from 2.1 beta series) which accidentally disappeared in 2.0.2 -> 2.0.4 transition. I'll leave it upto you guys if you want to stable 2.0.5 as technically 2.0.4 has the security fix but as the openvpn guys said, it may be unuseable. uberlord@gentoo.org 2005-11-03 10:09:56 0000 Uh - if this goes stable, then mark 2.0.5 stable and NOT 2.0.5-r1 which has the new init script koon@gentoo.org 2005-11-03 10:52:16 0000 We should definitely have 2.0.5 stable rather than 2.0.4... Upstream really fucked up this release big time. Readding arches that already tested 2.0.4... hansmi@gentoo.org 2005-11-03 11:15:02 0000 Stable on ppc. halcy0n@gentoo.org 2005-11-03 21:53:10 0000 x86 done grobian@gentoo.org 2005-11-04 03:14:51 0000 ppc-macos done gustavoz@gentoo.org 2005-11-04 06:45:15 0000 sparc stable, let's hope it's the last one. kloeri@gentoo.org 2005-11-05 05:38:38 0000 Alpha stable. blubb@gentoo.org 2005-11-06 04:40:45 0000 amd64 stable, sorry for the delay koon@gentoo.org 2005-11-06 10:44:56 0000 GLSA 200511-07