*** This bug is a security vulnerability *** Public security bug reported:
OpenVPN 2.3.0 and earlier are affected by CVE-2013-2061 in some configuration. The security impact is fairly low but still worth fixing IMHO. Upstream fix announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc Fix commit in upstream git: https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707329 ** Affects: openvpn (Ubuntu) Importance: Undecided Status: New ** Information type changed from Private Security to Public Security ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2013-2061 -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openvpn in Ubuntu. https://bugs.launchpad.net/bugs/1184223 Title: CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1184223/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
