Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 293894

Summary: <net-misc/openvpn-2.1_rc21 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Product: Gentoo Security Reporter: Alex Legler (RETIRED) <a3li>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: cedk, gentoo
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 292023    

Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-20 20:46:50 UTC
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation.

For more information, see the blocker bug.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-20 20:48:50 UTC
blargh. that thing was related to the windows binary only. sry for the noise.
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-20 20:53:26 UTC
mh. actually might does affect us. The second changelog item:

* Added additional session renegotiation hardening.  OpenVPN has always
  required that mid-session renegotiations build up a new SSL/TLS
  session from scratch.  While the client certificate common name is
  already locked against changes in mid-session TLS renegotiations, we
  now extend this locking to the auth-user-pass username as well as all
  certificate content in the full client certificate chain


Cédric, can we go stable (maybe after fixing bug 293840)?
Comment 3 Cédric Krier gentoo-dev 2009-11-21 18:35:20 UTC
I'm not yet sure how to fix bug 293840
If this bug really needs that 2.1_rc21 goes stable, I think it can go.
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-08-23 13:24:20 UTC
I think we should stabilize 2.1.0-r1 to fix this. Adding arches.
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-08-23 13:30:31 UTC
...and cleaning up behind you
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-08-23 15:07:26 UTC
amd64 done
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-24 02:03:38 UTC
x86 stable
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-25 16:32:54 UTC
(MIPS doesn't do stable.)

(And it looks better and more legible like this:)

Arch teams, please test and mark stable:
Target KEYWORDS="alpha arm hppa ppc ppc64 s390 sh sparc"
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2010-08-25 16:48:58 UTC
Stable for HPPA PPC.
Comment 10 Markus Meier gentoo-dev 2010-08-28 08:01:28 UTC
arm stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 15:29:56 UTC
alpha/s390/sh/sparc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:19:00 UTC
ppc64 done
Comment 13 Dirkjan Ochtman (RETIRED) gentoo-dev 2010-09-08 08:47:20 UTC
Security team, I think this bug can be closed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-09-09 14:27:42 UTC
(In reply to comment #13)
> Security team, I think this bug can be closed.

Not yet. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-20 10:50:30 UTC
This issue was resolved and addressed in
 GLSA 201311-13 at
by GLSA coordinator Sergey Popov (pinkbyte).