Ubuntu
tinc package

Tinc VPN security issue (CVE-2013-1428)

Bug #1174763 reported by Fleg
276
This bug affects 4 people
Affects Status Importance Assigned to Milestone
tinc (Ubuntu)
Fix Released
Undecided
Unassigned
Lucid
Won't Fix
Undecided
Unassigned
Precise
Won't Fix
Undecided
Unassigned
Trusty
Fix Released
Undecided
Unassigned
Utopic
Fix Released
Undecided
Unassigned
Vivid
Fix Released
Undecided
Unassigned

Bug Description

Please update ubuntu with a newer version of tinc because of the vulnerability below.

http://www.tinc-vpn.org/pipermail/tinc/2013-April/003240.html

Tags: security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Changed in tinc (Ubuntu):
status: New → Incomplete
information type: Private Security → Public Security
Revision history for this message
Malte S. Stretz (mss) wrote : Re: Tinc VPN security issue

Does this help? http://launchpadlibrarian.net/138627199/tinc_1.0.19-2_1.0.19-3.diff.gz

summary: - Tinc VPN security issue
+ Tinc VPN security issue (CVE-2013-1428)
Revision history for this message
Renne (renne) wrote :

Ubuntu 12.04.2 LTS is using Tinc 1.0.16.
Ubuntu 13.04.2 is using Tinc 1.0.19.

So I suggest to upgrade Ubuntu 12.04.2 LTS and 13.04 to Tinc version 1.0.21.

Revision history for this message
Renne (renne) wrote :

Guus Sliepen, the main developer of Tinc, said the patch can be adjusted to 1.0.16 fot LTS, too. Depending on the update policy of Ubuntu an update to 1.0.21 provides the option "Name = $HOST" in the configuration file, which would simplify deploying of multiple nodes a lot. For Current releases he recommended to update to 1.0.21.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for tinc (Ubuntu) because there has been no activity for 60 days.]

Changed in tinc (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Avery-yates (avery-yates) wrote :

This is still an issue. LTS needs a backport. Some of us are in this boat until 2017.

Changed in tinc (Ubuntu):
status: Expired → Confirmed
Dimitri John Ledkov (xnox)
Changed in tinc (Ubuntu Vivid):
status: Confirmed → Fix Released
Changed in tinc (Ubuntu Utopic):
status: New → Fix Released
Changed in tinc (Ubuntu Trusty):
status: New → Fix Released
Changed in tinc (Ubuntu Precise):
status: New → Confirmed
Changed in tinc (Ubuntu Lucid):
status: New → Confirmed
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in tinc (Ubuntu Lucid):
status: Confirmed → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in tinc (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.