+++ This bug was initially created as a clone of Bug #292023 +++ From $URL: Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. For more information, see the blocker bug.
blargh. that thing was related to the windows binary only. sry for the noise.
mh. actually might does affect us. The second changelog item: * Added additional session renegotiation hardening. OpenVPN has always required that mid-session renegotiations build up a new SSL/TLS session from scratch. While the client certificate common name is already locked against changes in mid-session TLS renegotiations, we now extend this locking to the auth-user-pass username as well as all certificate content in the full client certificate chain (http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html) Cédric, can we go stable (maybe after fixing bug 293840)?
I'm not yet sure how to fix bug 293840 If this bug really needs that 2.1_rc21 goes stable, I think it can go.
I think we should stabilize 2.1.0-r1 to fix this. Adding arches.
...and cleaning up behind you
amd64 done
x86 stable
(MIPS doesn't do stable.) (And it looks better and more legible like this:) Arch teams, please test and mark stable: =net-misc/openvpn-2.1.0-r1 Target KEYWORDS="alpha arm hppa ppc ppc64 s390 sh sparc"
Stable for HPPA PPC.
arm stable
alpha/s390/sh/sparc stable
ppc64 done
Security team, I think this bug can be closed.
(In reply to comment #13) > Security team, I think this bug can be closed. > Not yet. GLSA request filed.
This issue was resolved and addressed in GLSA 201311-13 at http://security.gentoo.org/glsa/glsa-201311-13.xml by GLSA coordinator Sergey Popov (pinkbyte).