From ${URL} : A vulnerability was found in the vtun package. When you send a SIGHUP to a vtun client process and it cannot connect to the remote server, vtun tries to reconnect without sleep between each attempt. In result, the vtun process uses a lot of CPU, and writes to syslog without limit. References (with proposed patch): https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818489 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE was not assigned to this vulnerability as per discussion in [1], upstream agrees that this can be a bug, but not a security issue[2] Debian guys patches it, though. Not sure how we should proceed, upcoming 3.0.4(release long time ago, not in portage yet) does not contain fix for this(upstream mentioned it directly) [1] - http://seclists.org/oss-sec/2016/q2/173 [2] - https://sourceforge.net/p/vtun/bugs/58/
Should we remove this bug from security and make it just a regular bug? Since upstream does not think this is a vulnerability?
Upstream believe it is not a bug. Concure with upstream and redhat assessment. Michael Boyle Gentoo Security Padawan