+++ This bug was initially created as a clone of Bug #292023 +++
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation.
For more information, see the blocker bug.
blargh. that thing was related to the windows binary only. sry for the noise.
mh. actually might does affect us. The second changelog item:
* Added additional session renegotiation hardening. OpenVPN has always
required that mid-session renegotiations build up a new SSL/TLS
session from scratch. While the client certificate common name is
already locked against changes in mid-session TLS renegotiations, we
now extend this locking to the auth-user-pass username as well as all
certificate content in the full client certificate chain
Cédric, can we go stable (maybe after fixing bug 293840)?
I'm not yet sure how to fix bug 293840
If this bug really needs that 2.1_rc21 goes stable, I think it can go.
I think we should stabilize 2.1.0-r1 to fix this. Adding arches.
...and cleaning up behind you
(MIPS doesn't do stable.)
(And it looks better and more legible like this:)
Arch teams, please test and mark stable:
Target KEYWORDS="alpha arm hppa ppc ppc64 s390 sh sparc"
Stable for HPPA PPC.
Security team, I think this bug can be closed.
(In reply to comment #13)
> Security team, I think this bug can be closed.
Not yet. GLSA request filed.
This issue was resolved and addressed in
GLSA 201311-13 at http://security.gentoo.org/glsa/glsa-201311-13.xml
by GLSA coordinator Sergey Popov (pinkbyte).