Bug 960192 (CVE-2013-2061)
Summary: | CVE-2013-2061 openvpn: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | davids, gwync, huzaifas, jlieskov, steve |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | openvpn 2.3.1 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-06-04 17:46:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 960195, 960196 | ||
Bug Blocks: |
Description
Vincent Danen
2013-05-06 16:25:51 UTC
Note that OpenVPN is not built with PolarSSL support, so while it's currently unknown whether or not this affects OpenVPN built with OpenSSL, it's probably prudent to apply the patch, despite this being a low-impact flaw. Pushing 2.3.1 to f18 and f17 as we speak. Nice, thank you Jon. I will still file a tracking bug that you can reference as one is required for EPEL anyways. Created openvpn tracking bugs for this issue Affects: epel-all [bug 960195] Affects: fedora-all [bug 960196] For more information about this issue, please read this announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc This is really a low security issue, and it seems most likely to be vulnerable only if --cipher none is used in the configuration. Right, that's why it's rated low impact here as well. It's also unknown whether or not this affects openssl (which we use) or just the use of polarssl (which we don't use). But, regardless, it's still a flaw and the patch is pretty straightforward, so there's no real reason _not_ to fix it. The CVE identifier of CVE-2013-2061 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/05/06/6 |