| |||||||||||||||||||
Mageia alert MGASA-2013-0153 (openvpn)
MGASA-2013-0153 Date: May 25th, 2013 Affected releases: 2 Media: Core Description: Updated openvpn package fixes security vulnerability: OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function. Plaintext recovery may be possible using a padding oracle attack on the CBC mode cipher implementation of the crypto library, optimistically at a rate of about one character per 3 hours. PolarSSL seems vulnerable to such an attack; the vulnerability of OpenSSL has not been verified or tested (CVE-2013-2061). Updated Packages: i586: openvpn-2.2.2-5.3.mga2.i586.rpm openvpn-debug-2.2.2-5.3.mga2.i586.rpm x86_64: openvpn-2.2.2-5.3.mga2.x86_64.rpm openvpn-debug-2.2.2-5.3.mga2.x86_64.rpm SRPMS: openvpn-2.2.2-5.3.mga2.src.rpm References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061 https://community.openvpn.net/openvpn/wiki/SecurityAnnoun... http://lists.fedoraproject.org/pipermail/package-announce... https://bugs.mageia.org/show_bug.cgi?id=10125 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-... (Log in to post comments)
|
|||||||||||||||||||