[Bug 1184223] [NEW] CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
Simon Déziel
1184223 at bugs.launchpad.net
Sat May 25 22:02:23 UTC 2013
*** This bug is a security vulnerability ***
Public security bug reported:
OpenVPN 2.3.0 and earlier are affected by CVE-2013-2061 in some
configuration. The security impact is fairly low but still worth fixing
IMHO.
Upstream fix announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
Fix commit in upstream git: https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
Debian bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=707329
** Affects: openvpn (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Private Security to Public Security
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2061
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvpn in Ubuntu.
https://bugs.launchpad.net/bugs/1184223
Title:
CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in
openvpn_decrypt
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvpn/+bug/1184223/+subscriptions
More information about the Ubuntu-server-bugs
mailing list