Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293894 - <net-misc/openvpn-2.1_rc21 TLS Session Renegotiation MITM vulnerability (CVE-2009-3555)
Summary: <net-misc/openvpn-2.1_rc21 TLS Session Renegotiation MITM vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://extendedsubset.com/?p=8
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks: CVE-2009-3555
  Show dependency tree
 
Reported: 2009-11-20 20:46 UTC by Alex Legler (RETIRED)
Modified: 2013-11-20 10:50 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-20 20:46:50 UTC
+++ This bug was initially created as a clone of Bug #292023 +++

From $URL:
Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation.

For more information, see the blocker bug.
Comment 1 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-20 20:48:50 UTC
blargh. that thing was related to the windows binary only. sry for the noise.
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-11-20 20:53:26 UTC
mh. actually might does affect us. The second changelog item:

* Added additional session renegotiation hardening.  OpenVPN has always
  required that mid-session renegotiations build up a new SSL/TLS
  session from scratch.  While the client certificate common name is
  already locked against changes in mid-session TLS renegotiations, we
  now extend this locking to the auth-user-pass username as well as all
  certificate content in the full client certificate chain

(http://openvpn.net/index.php/open-source/documentation/change-log/71-21-change-log.html)

Cédric, can we go stable (maybe after fixing bug 293840)?
Comment 3 Cédric Krier gentoo-dev 2009-11-21 18:35:20 UTC
I'm not yet sure how to fix bug 293840
If this bug really needs that 2.1_rc21 goes stable, I think it can go.
Comment 4 Dirkjan Ochtman gentoo-dev 2010-08-23 13:24:20 UTC
I think we should stabilize 2.1.0-r1 to fix this. Adding arches.
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-08-23 13:30:31 UTC
...and cleaning up behind you
Comment 6 Markos Chandras (RETIRED) gentoo-dev 2010-08-23 15:07:26 UTC
amd64 done
Comment 7 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-08-24 02:03:38 UTC
x86 stable
Comment 8 Jeroen Roovers gentoo-dev 2010-08-25 16:32:54 UTC
(MIPS doesn't do stable.)

(And it looks better and more legible like this:)

Arch teams, please test and mark stable:
=net-misc/openvpn-2.1.0-r1
Target KEYWORDS="alpha arm hppa ppc ppc64 s390 sh sparc"
Comment 9 Jeroen Roovers gentoo-dev 2010-08-25 16:48:58 UTC
Stable for HPPA PPC.
Comment 10 Markus Meier gentoo-dev 2010-08-28 08:01:28 UTC
arm stable
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2010-09-04 15:29:56 UTC
alpha/s390/sh/sparc stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-09-06 20:19:00 UTC
ppc64 done
Comment 13 Dirkjan Ochtman gentoo-dev 2010-09-08 08:47:20 UTC
Security team, I think this bug can be closed.
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-09-09 14:27:42 UTC
(In reply to comment #13)
> Security team, I think this bug can be closed.
> 

Not yet. GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2013-11-20 10:50:30 UTC
This issue was resolved and addressed in
 GLSA 201311-13 at http://security.gentoo.org/glsa/glsa-201311-13.xml
by GLSA coordinator Sergey Popov (pinkbyte).