Bug 111116 - net-misc/openvpn: format string and DoS vulnerabilities
Bug#: 111116 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: casta@xwing.info
Component: Vulnerabilities
URL:  http://www.frsirt.com/bulletins/2510
Summary: net-misc/openvpn: format string and DoS vulnerabilities
Keywords:  
Status Whiteboard: B2 [glsa]
Opened: 2005-11-01 03:16 0000
Description:   Opened: 2005-11-01 03:16 0000 
Looking at this advisory : http://www.frsirt.com/bulletins/2510
OpenVPN <= 2.0.2 has 2 vulnerabilities.
Please bump to 2.0.3 as quick as possible

Regards

------- Comment #1 From Thierry Carrez (RETIRED) 2005-11-01 03:54:53 0000 ------- 
Ccing rest of herd as luckyduck has been away for some time. Please bump to
2.0.3.

------- Comment #2 From Roy Marples (RETIRED) 2005-11-01 04:59:33 0000 ------- 
Adding myself as I've been looking after openvpn due to a (now solved)
baselayout-1.12.0_pre issue as luckyduck is away (for long time) and warpzero is
no longer a dev (iirc)

Koon, openvpn-2.0.3 isn't released yet and has no source tarball or any 2.0.3
download available from their site.

------- Comment #3 From Thierry Carrez (RETIRED) 2005-11-01 05:50:04 0000 ------- 
They pulled the release, probably needs a small last-minute fix.

------- Comment #4 From Sebastian Siewior 2005-11-01 12:53:14 0000 ------- 
Are we talking abour 2.0.3 or 2.0.4 ?

------- Comment #5 From Sebastian Siewior 2005-11-01 12:54:46 0000 ------- 
Are we talking abour 2.0.3 or 2.0.4 ?

------- Comment #6 From Guillaume Castagnino 2005-11-01 13:02:57 0000 ------- 
OK, 2.0.3 was released this morning then removed a few hours after...
Now 2.0.4 is released with the correct fixes (see http://openvpn.net/changelog.html)

So now bump is for 2.0.4 skipping 2.0.3 ;)

------- Comment #7 From Roy Marples (RETIRED) 2005-11-02 04:24:31 0000 ------- 
2.0.4 is now in the tree

------- Comment #8 From Thierry Carrez (RETIRED) 2005-11-02 04:34:03 0000 ------- 
Arches please test and mark 2.0.4 stable
Target KEYWORDS="alpha amd64 ppc ppc-macos sparc x86"

------- Comment #9 From Andrej Kacian (RETIRED) 2005-11-02 06:52:45 0000 ------- 
x86 stable

------- Comment #10 From Michael Hanselmann (hansmi) (RETIRED) 2005-11-02 10:10:37 0000 ------- 
Stable on ppc.

------- Comment #11 From Roy Marples (RETIRED) 2005-11-02 10:26:21 0000 ------- 
2.0.4 removed as to having the new init script
2.0.4-r1 added with old script - please mark this version stable
2.0.4-r2 has the new init script

Sorry for any confusion/problems/whatever

------- Comment #12 From Fabian Groffen 2005-11-02 12:14:18 0000 ------- 
2.0.4-r1 stable on ppc-macos

------- Comment #13 From Gustavo Zacarias (RETIRED) 2005-11-03 06:05:50 0000 ------- 
sparc stable.

------- Comment #14 From Roy Marples (RETIRED) 2005-11-03 10:08:03 0000 ------- 
openvpn-2.0.5 just got released with fixes another serious issue
I've just comitted it to the tree, fixing bug #111369, marked ~ARCH

The 2.0.4 ebuilds are still there, but are un-useable on Linux.
ChangeLog snippet

* Fixed bug in Linux get_default_gateway function
  introduced in 2.0.4, which would cause redirect-gateway
  on Linux clients to fail.
* Restored easy-rsa/2.0 tree (backported from 2.1 beta
  series) which accidentally disappeared in
  2.0.2 -> 2.0.4 transition.

I'll leave it upto you guys if you want to stable 2.0.5 as technically 2.0.4 has
the security fix but as the openvpn guys said, it may be unuseable.

------- Comment #15 From Roy Marples (RETIRED) 2005-11-03 10:09:56 0000 ------- 
Uh - if this goes stable, then mark 2.0.5 stable and NOT 2.0.5-r1 which has the
new init script

------- Comment #16 From Thierry Carrez (RETIRED) 2005-11-03 10:52:16 0000 ------- 
We should definitely have 2.0.5 stable rather than 2.0.4...

Upstream really fucked up this release big time.
Readding arches that already tested 2.0.4...

------- Comment #17 From Michael Hanselmann (hansmi) (RETIRED) 2005-11-03 11:15:02 0000 ------- 
Stable on ppc.

------- Comment #18 From Mark Loeser 2005-11-03 21:53:10 0000 ------- 
x86 done

------- Comment #19 From Fabian Groffen 2005-11-04 03:14:51 0000 ------- 
ppc-macos done

------- Comment #20 From Gustavo Zacarias (RETIRED) 2005-11-04 06:45:15 0000 ------- 
sparc stable, let's hope it's the last one.

------- Comment #21 From Bryan Østergaard (RETIRED) 2005-11-05 05:38:38 0000 ------- 
Alpha stable.

------- Comment #22 From Simon Stelling (RETIRED) 2005-11-06 04:40:45 0000 ------- 
amd64 stable, sorry for the delay

------- Comment #23 From Thierry Carrez (RETIRED) 2005-11-06 10:44:56 0000 ------- 
GLSA 200511-07