Summary: | <net-misc/openvpn-2.1_rc21 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | cedk, gentoo |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://extendedsubset.com/?p=8 | ||
Whiteboard: | A3 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 292023 |
Description
Alex Legler (RETIRED)
2009-11-20 20:46:50 UTC
blargh. that thing was related to the windows binary only. sry for the noise. mh. actually might does affect us. The second changelog item: * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain (http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html) Cédric, can we go stable (maybe after fixing bug 293840)? I'm not yet sure how to fix bug 293840 If this bug really needs that 2.1_rc21 goes stable, I think it can go. I think we should stabilize 2.1.0-r1 to fix this. Adding arches. ...and cleaning up behind you amd64 done x86 stable (MIPS doesn't do stable.) (And it looks better and more legible like this:) Arch teams, please test and mark stable: =net-misc/openvpn-2.1.0-r1 Target KEYWORDS="alpha arm hppa ppc ppc64 s390 sh sparc" Stable for HPPA PPC. arm stable alpha/s390/sh/sparc stable ppc64 done Security team, I think this bug can be closed. (In reply to comment #13) > Security team, I think this bug can be closed. > Not yet. GLSA request filed. This issue was resolved and addressed in GLSA 201311-13 at http://security.gentoo.org/glsa/glsa-201311-13.xml by GLSA coordinator Sergey Popov (pinkbyte). |