Your message dated Thu, 06 Jun 2013 19:32:23 +0000
with message-id <[email protected]>
and subject line Bug#707329: fixed in openvpn 2.1.3-2+squeeze2
has caused the Debian Bug report #707329,
regarding openvpn: CVE-2013-2061: use of non-constant-time memcmp in HMAC
comparison in openvpn_decrypt
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
707329: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707329
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openvpn
Version: 2.1.3-2+squeeze1
Severity: important
Tags: security patch
Control: found -1 2.2.1-8
Hi,
the following vulnerability was published for openvpn.
CVE-2013-2061[0]:
use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
http://security-tracker.debian.org/tracker/CVE-2013-2061
[1] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
[2]
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: openvpn
Source-Version: 2.1.3-2+squeeze2
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[email protected]> (supplier of updated openvpn
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 May 2013 11:16:48 +0000
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.1.3-2+squeeze2
Distribution: squeeze
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <[email protected]>
Changed-By: Alberto Gonzalez Iniesta <[email protected]>
Description:
openvpn - virtual private network daemon
Closes: 707329
Changes:
openvpn (2.1.3-2+squeeze2) squeeze; urgency=low
.
* Applied upstream patch to fix use of non-constant-time memcmp
in HMAC comparison. CVE-2013-2061. (Closes: #707329)
Checksums-Sha1:
573a10f53ac75c6d3f9127e2018216d7a6dc3b1f 1742 openvpn_2.1.3-2+squeeze2.dsc
91058e78c58c2e66298c7132bea1ddba52baaa82 860672 openvpn_2.1.3.orig.tar.gz
952622e66e0604c5f74d4d5367c23426c6d39da8 114276
openvpn_2.1.3-2+squeeze2.debian.tar.gz
35c13fef4b43fbef0dbc4f74e0a60aa1d9b33f86 458220
openvpn_2.1.3-2+squeeze2_amd64.deb
Checksums-Sha256:
2ac4f9b406af473329406db8ca007dbb16320860d474c0ccb0cd474a446cd0d5 1742
openvpn_2.1.3-2+squeeze2.dsc
5185181df2e6043bd667377bc92e36ea5a5bd7600af209654f109b6403ca5b36 860672
openvpn_2.1.3.orig.tar.gz
be095e65ceda1a0a6d530d25f00bf77f3a7a6f1ec0546bcdc4f7a872f7dd3a02 114276
openvpn_2.1.3-2+squeeze2.debian.tar.gz
30df4127317f2cb1ab972da86ea7e83e81c63d3722a33cbb9361db1736b1dde9 458220
openvpn_2.1.3-2+squeeze2_amd64.deb
Files:
1ba1c560ecb50c2e0ec8c41614885b4e 1742 net optional openvpn_2.1.3-2+squeeze2.dsc
7486d3e270ba4b033e311d3e022a0ad7 860672 net optional openvpn_2.1.3.orig.tar.gz
21e09e3d7bf9c2eb99c71eba86979fbf 114276 net optional
openvpn_2.1.3-2+squeeze2.debian.tar.gz
f8b782af936fb5457ada9ff8f552a63d 458220 net optional
openvpn_2.1.3-2+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRsJ1IAAoJEACbM3VrmqpVz6UP+wVfZmQ/yhmC5UsKoIJPB/DF
4NOhaO2fVXtC2/zQeqXmWYlDEYvM8Z5RgUUwCBJXFCFjHq8+2zHd4vAC5T5II8AV
GYnjm6/OqOoOurP2gDcD1aFHAoz3+sD5KEgIUP2h2ZHg00azqVBBcL3NfaxJ4XCQ
Ab/1J0mzuF+FohaM+3M1bvmJe708Lx9f0OwuGGEBXp4Dl1yZzWAdKIoSknxqHgoi
64aVtfcJNFsITTBfUawLkhZGF0Kh1+iZ5XMVU31M7+tB/L/5eFze9okrUr2Sg6O+
ce5p9BK+NTBA8cM7IPwZZ56b9h9mYBEALFnPBwiPbciviQJvf1ZIexzF0gmpqZG2
MyaDYz2PwUZJtWzVcYppgFB/06p1G55VNGyO4faoZMaDno0hqTAgEInLjy5gHWmy
2luhlgNeNw+XyHyXGA7dQa2EZJyEpQoXE92W34RRFcE2RYugeu5/sjYAog50PYCs
FxwpwbfAwDLqQy1pQwcqMf6eXFEe1Qa/tPDh5fyjkioMzvX6oqBH+994UuLNZHi6
7LkBAPtm5FmL2NPWkJMyFRiiOo2wONmxGgLbnFUbY4kl23AxJvfSHrVbqOFgw8zp
o3XDCIeKmXcMEdN3C3qb2EHMiAxxi6P5VKNYa2ypbZ9MxlBX3B0fWu9EGHI0Tmse
H2c4fCulncz9J4rV01Wf
=PzUh
-----END PGP SIGNATURE-----
--- End Message ---
