MGASA-2013-0153
Date: | May 25th, 2013 |
Affected releases: | 2 |
Media: | Core |
Description:
Updated openvpn package fixes security vulnerability:
OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen
ciphertext injection due to a non-constant-time HMAC comparison function.
Plaintext recovery may be possible using a padding oracle attack on the
CBC mode cipher implementation of the crypto library, optimistically at a
rate of about one character per 3 hours. PolarSSL seems vulnerable to such
an attack; the vulnerability of OpenSSL has not been verified or tested
(CVE-2013-2061).
Updated Packages:
i586:
openvpn-2.2.2-5.3.mga2.i586.rpm
openvpn-debug-2.2.2-5.3.mga2.i586.rpm
x86_64:
openvpn-2.2.2-5.3.mga2.x86_64.rpm
openvpn-debug-2.2.2-5.3.mga2.x86_64.rpm
SRPMS:
openvpn-2.2.2-5.3.mga2.src.rpm
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105609.html
https://bugs.mageia.org/show_bug.cgi?id=10125