CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
Bug #1184223 reported by
Simon Déziel
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openvpn (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Precise |
Fix Released
|
Low
|
Unassigned | ||
Quantal |
Won't Fix
|
Low
|
Unassigned | ||
Raring |
Won't Fix
|
Low
|
Unassigned | ||
Saucy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
OpenVPN 2.3.0 and earlier are affected by CVE-2013-2061 in some configuration. The security impact is fairly low but still worth fixing IMHO.
Upstream fix announcement: https:/
Fix commit in upstream git: https:/
Debian bug: http://
CVE References
information type: | Private Security → Public Security |
Changed in openvpn (Ubuntu Precise): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in openvpn (Ubuntu Quantal): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in openvpn (Ubuntu Raring): | |
status: | New → Confirmed |
importance: | Undecided → Low |
Changed in openvpn (Ubuntu Saucy): | |
status: | New → Fix Released |
Changed in openvpn (Ubuntu Raring): | |
status: | Confirmed → Won't Fix |
Changed in openvpn (Ubuntu Quantal): | |
status: | Confirmed → Won't Fix |
To post a comment you must log in.
Thanks for the merge request.
We rate this security vulnerability as being "low" priority, which means we will not publish a security update for it unless another more important issue turns up in openvpn, at which point we will bundle both updates together.
I am unsubscribing ubuntu- security- sponsors for now.