[Bug 256621] Re: [CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration
Thierry Carrez
thierry.carrez at ubuntu.com
Mon Sep 1 08:58:08 BST 2008
To fix this in hardy (rc7-based, probably affected) :
Difficult to extract a minimal patch from the RC8 to RC9 diff. I removed
what was obviously windowsish and the version number updates. The
problem is that the exact nature of the vulnerability doesn't seem to
have been disclosed, that the upstream fix is introducing behavioral
changes and that the real fix is drowned in a sea of security hardening
efforts. What we are looking for must be in route.c, lladdr.c, maybe in
multi.c...
I'll try to get more info from upstream.
** Attachment added: "rc8_to_rc9.diff.gz"
http://launchpadlibrarian.net/17199440/rc8_to_rc9.diff.gz
--
[CVE-2008-3459] OpenVPN vulnerability allows arbitrary command execution via crafted configuration
https://bugs.launchpad.net/bugs/256621
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in ubuntu.
More information about the Ubuntu-server-bugs
mailing list