plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this on each boot: Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. This issue has been around for years and is also present in kde-misc/networkmanagement. I had incorrectly thought that kde-misc/networkmanagement was dropped by upstream until I realized that it is the desktop version of this component and is still supported. Upstream has written a patch for kde-misc/plasma-nm in response to my bug report: https://bugs.kde.org/show_bug.cgi?id=341069 http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950 I have filed an upstream bug against kde-misc/networkmanagement: https://bugs.kde.org/show_bug.cgi?id=341387 I am inclined to file a separate security bug for kde-misc/networkmanagement, but I have decided to give upstream a week to respond first in the belief that the note here is sufficient. If the security team feels otherwise, please do not hesitate to file another bug and CC me.
From upstream bug report this is fixed in 0.9.0.12 which is the only version in tree. Remove kde from cc then.
(In reply to Johannes Huber from comment #1) > From upstream bug report this is fixed in 0.9.0.12 which is the only version > in tree. Remove kde from cc then. Sorry wrong package
+ 06 Jun 2015; Michael Palimaka <kensington@gentoo.org> + +plasma-nm-0.9.3.6.ebuild: + Version bump wrt bug #531070.
Arches please stabilize =kde-misc/plasma-nm-0.9.3.6 Target: amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please vote.
Thanks all. Cleanup done. Removing maintainer then. + + 18 Jul 2015; Johannes Huber <johu@gentoo.org> + -files/plasma-nm-0.9.3.5-openconnect.patch, -plasma-nm-0.9.3.5.ebuild: + Remove vulnerable version, bug #531070. +
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No
GLSA Vote: No