On 26/06/15 13:28, Gert Doering wrote:
Hi,
On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote:
* Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
This might be an issue on OpenVPN on the server side. However,
--tls-auth will reduce the attack vector to one of your own users.
As we're not using X509_cmp_time()...
that was my initial thought as well, but X509_cmp_time might be (is)
called by OpenSSL internally to check the dates on certificates and
perhaps CRLs. It would need further investigation, I guess.
JJK
