Bug#707329: marked as done (openvpn: CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt)

Thu, 06 Jun 2013 11:52:19 -0700 

Your message dated Thu, 06 Jun 2013 18:47:06 +0000
with message-id <[email protected]>
and subject line Bug#707329: fixed in openvpn 2.2.1-8+deb7u1
has caused the Debian Bug report #707329,
regarding openvpn: CVE-2013-2061: use of non-constant-time memcmp in HMAC 
comparison in openvpn_decrypt
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
707329: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707329
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: openvpn
Version: 2.1.3-2+squeeze1
Severity: important
Tags: security patch
Control: found -1 2.2.1-8

Hi,

the following vulnerability was published for openvpn.

CVE-2013-2061[0]:
use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
    http://security-tracker.debian.org/tracker/CVE-2013-2061
[1] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
[2] 
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: openvpn
Source-Version: 2.2.1-8+deb7u1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[email protected]> (supplier of updated openvpn 
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 17 May 2013 11:33:07 +0000
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.2.1-8+deb7u1
Distribution: wheezy
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Alberto Gonzalez Iniesta <[email protected]>
Description: 
 openvpn    - virtual private network daemon
Closes: 707329
Changes: 
 openvpn (2.2.1-8+deb7u1) wheezy; urgency=low
 .
   * Applied upstream patch to fix use of non-constant-time memcmp
     in HMAC comparison. CVE-2013-2061. (Closes: #707329)
Checksums-Sha1: 
 c55c3e2ab0d5bf5c92db6a015db53f9865b37806 1808 openvpn_2.2.1-8+deb7u1.dsc
 d5a8e9c635aa330eae8e66e1ccbe2b98e4c3047b 911472 openvpn_2.2.1.orig.tar.gz
 52676dec1af811fcc38a317cc98d37b23b261276 124311 
openvpn_2.2.1-8+deb7u1.debian.tar.gz
 fbe7c9fcbe42de5dfbec80d63d112dc792bcfe01 503090 
openvpn_2.2.1-8+deb7u1_amd64.deb
Checksums-Sha256: 
 21a58d738c27992729e3085252687ce2e47bc282b5e2e82c8e99671856aaf11c 1808 
openvpn_2.2.1-8+deb7u1.dsc
 a860858cc92d4573399bb2ff17ac62d9b4b8939e6af0b8cc69150ba39d6e94e0 911472 
openvpn_2.2.1.orig.tar.gz
 af448b9f700fbcd3c7d65b5300846f5c52ecf0026a7e1e63f994a029a8018bf5 124311 
openvpn_2.2.1-8+deb7u1.debian.tar.gz
 44464583141463912687dd8993ec2bf190e70b6736fad7e0a73c9b7670836add 503090 
openvpn_2.2.1-8+deb7u1_amd64.deb
Files: 
 6904b10beed6f9d298dddc9ac26c669d 1808 net optional openvpn_2.2.1-8+deb7u1.dsc
 500bee5449b29906150569aaf2eb2730 911472 net optional openvpn_2.2.1.orig.tar.gz
 9b975091230250ce8a04692288bcdada 124311 net optional 
openvpn_2.2.1-8+deb7u1.debian.tar.gz
 241b6d9ee29905f8c3dc5c2d22d9cfe9 503090 net optional 
openvpn_2.2.1-8+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJRsLIXAAoJEACbM3VrmqpVDOUP/3BXVlDziZyLZHZKgYvfv9Y1
QJ3tUSvcoof4EQORTvi8hPVX7yw/FwpjHV6EkkeZ3USAmlxryoLXeAwqgfRH7Ohm
Gs1/3PIFkIIYmRi4dtaWQqW25sV4dFPWAwnXGpHxnKsbPQEM+txdBQ7xkdO7vCBF
YC5kbivGL49TY8Bjp6FE187nixfxlVhHwyEik0F9CgeVuseC9/mZt4hysWHLFpgv
RYMXxFpf5Fv60AIzQHY5HelfCFDettOWbrgNuYjWFAiZkR59WB4+8o/l39kYRuaO
+E6raNGBn3JIvL6m+AImDIDNcAzFx5Ys6ayqRZb5FrVTJAJMPbKKEpK7TEgmTwtf
alxxq1lXBflCUYy3Yc6iN/+uXgN7nsxTpdpQqzebfaIlhDCaJgOS8+x7uV8zAb/p
z/v6pORhKfyVjj/LEyklhs4/1NPrKL46BnYx9ZyQnsdxdpI7WPpsL5NZNGI440/H
zsl2DDPz5snxm2IpDtCMoIscLBK8wAHU2wndzdmEzuH4ZF+gpl3TNlriHtNhzh8o
BAo5ys+PlaDPkAZ6Eix+wMV2pmxmsnEufRZm/8bv8ETRyOCeOtHLJvSZ0RHrdPFm
Pc12UdCo8G/5Bav6tkqnacDmhy4CLdpE7QtJxECq9Y+ExmKD1pMoiz1K19S4YcSE
/rC+bQr9T26vU+hv4xHM
=Mh+K
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to