CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
Bug #1184223 reported by
Simon Déziel
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openvpn (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
| Precise |
Fix Released
|
Low
|
Unassigned | ||
| Quantal |
Won't Fix
|
Low
|
Unassigned | ||
| Raring |
Won't Fix
|
Low
|
Unassigned | ||
| Saucy |
Fix Released
|
Undecided
|
Unassigned | ||
Bug Description
OpenVPN 2.3.0 and earlier are affected by CVE-2013-2061 in some configuration. The security impact is fairly low but still worth fixing IMHO.
Upstream fix announcement: https:/
Fix commit in upstream git: https:/
Debian bug: http://
CVE References
| information type: | Private Security → Public Security |
| Changed in openvpn (Ubuntu Precise): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| Changed in openvpn (Ubuntu Quantal): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| Changed in openvpn (Ubuntu Raring): | |
| status: | New → Confirmed |
| importance: | Undecided → Low |
| Changed in openvpn (Ubuntu Saucy): | |
| status: | New → Fix Released |
Revision history for this message
| Marc Deslauriers (mdeslaur) wrote | #1 |
| Changed in openvpn (Ubuntu Raring): | |
| status: | Confirmed → Won't Fix |
| Changed in openvpn (Ubuntu Quantal): | |
| status: | Confirmed → Won't Fix |
Revision history for this message
| Simon Déziel (sdeziel) wrote | #2 |
| Changed in openvpn (Ubuntu Precise): | |
| status: | Confirmed → Fix Released |
To post a comment you must log in.
Thanks for the merge request.
We rate this security vulnerability as being "low" priority, which means we will not publish a security update for it unless another more important issue turns up in openvpn, at which point we will bundle both updates together.
I am unsubscribing ubuntu-