Summary: | net-misc/openvpn: Multiple DoS issues | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Carsten Lohrke (RETIRED) <carlo> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | kaiowas, luckyduck, mr-russ, warpzero |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | C3 [noglsa] jaervosz | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 103320 |
Description
Carsten Lohrke (RETIRED)
2005-08-17 10:21:21 UTC
Secure-tunneling please bump and create/update a herd alias. according to devaway, cia and genbot luckyduck might still have connection problems. a new shiny openvpn ebuild is available. tested and found OK on x86, unmask when you see fit. Arches, please test 2.0.1 and mark stable Marked Stable on AMD64. Stable on ppc. stable on ppc-macos x86 there... Waiting on sparc. Ccing jforman which is the last sparc stable-izer, in case he can help. sparc stable, sorry for the delay. Ready for GLSA vote, I vote YES vote NO, sound like very minor issues for non-authenticated clients presumably the sequence of events to stop people connecting would have to be: -> attacker sends data that cannot be decrypted -> legitimate user connects, but connection fails -> attacker again -> legitimate user -> attacker The attacker cant connect again before the legitimate user, or he would flush his own message queue? so would have to wait until he knows the legitimate user has failed, then send the bad data again, I dont think this is a feasible attack to prevent more than one or two connections. The attacks from authenticated users are less minor, but not glsa worthy imho. Seems like some very minor issues. Voting NO and closing. Feel free to reopen if you disagree. *** Bug 106323 has been marked as a duplicate of this bug. *** |