Debian Bug report logs -
#707329
openvpn: CVE-2013-2061: use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Thu, 9 May 2013 06:00:02 UTC
Severity: important
Tags: patch, security
Found in versions openvpn/2.2.1-8, openvpn/2.1.3-2+squeeze1
Fixed in versions openvpn/2.3.1-1, openvpn/2.2.1-8+deb7u1, openvpn/2.1.3-2+squeeze2
Done: Alberto Gonzalez Iniesta <agi@inittab.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>:
Bug#707329; Package openvpn.
(Thu, 09 May 2013 06:00:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Alberto Gonzalez Iniesta <agi@inittab.org>.
(Thu, 09 May 2013 06:00:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: openvpn
Version: 2.1.3-2+squeeze1
Severity: important
Tags: security patch
Control: found -1 2.2.1-8
Hi,
the following vulnerability was published for openvpn.
CVE-2013-2061[0]:
use of non-constant-time memcmp in HMAC comparison in openvpn_decrypt
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2061
http://security-tracker.debian.org/tracker/CVE-2013-2061
[1] https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
[2] https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
Regards,
Salvatore
Marked as found in versions openvpn/2.2.1-8.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org.
(Thu, 09 May 2013 06:00:06 GMT) (full text, mbox, link).
Reply sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility.
(Fri, 17 May 2013 10:51:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Fri, 17 May 2013 10:51:05 GMT) (full text, mbox, link).
Message #12 received at 707329-close@bugs.debian.org (full text, mbox, reply):
Source: openvpn
Source-Version: 2.3.1-1
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 707329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 17 May 2013 11:54:31 +0200
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.3.1-1
Distribution: unstable
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
openvpn - virtual private network daemon
Closes: 707329
Changes:
openvpn (2.3.1-1) unstable; urgency=low
.
* New upstream version. Fixes use of non-constant-time memcmp in HMAC
comparison. CVE-2013-2061 (Closes: #707329)
Checksums-Sha1:
a32f0fb0e2b8d3bad91d24f1fa3a719dce368354 1143 openvpn_2.3.1-1.dsc
e4e8ac4fd9626472d4fa4c19ba4dd969ce838918 1145382 openvpn_2.3.1.orig.tar.gz
533f4252710de0b4fa95b9ada9ba3617fcc2561c 123854 openvpn_2.3.1-1.debian.tar.gz
60f5f88d490ad8a65a946b3ab655164d095eb38d 499562 openvpn_2.3.1-1_amd64.deb
Checksums-Sha256:
219f84dcc43ddf4e30ce2f0505a2944c2d48ff42bfb8fa00f7f6128432065d57 1143 openvpn_2.3.1-1.dsc
bd2d7d85b39d4586bcdb74b36eb48d0ac4ab1e6812654c719b04826fdc70fb3c 1145382 openvpn_2.3.1.orig.tar.gz
499a2d3f631142a4fde79aceab0a47e41db934ecfc1957f11021efc08da690f8 123854 openvpn_2.3.1-1.debian.tar.gz
16d95d8540e630107296367fb497b1ff9839212e99bba6925567bcce81a73675 499562 openvpn_2.3.1-1_amd64.deb
Files:
46c185726395ed8167fea4569032feae 1143 net optional openvpn_2.3.1-1.dsc
57a3b64597fc37b7842a3fde354d8bbe 1145382 net optional openvpn_2.3.1.orig.tar.gz
ddb2d839addc7b1e03c335d1d23462e4 123854 net optional openvpn_2.3.1-1.debian.tar.gz
65a330b7616d6597051ed539967224c3 499562 net optional openvpn_2.3.1-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEUEARECAAYFAlGWCR8ACgkQxRSvjkukAcNIdgCdGbvEQLf69FqyeOpyhD0ltz7T
B/AAmIQgxgWiLkkD8/FyGurDaMXwNf8=
=1YLQ
-----END PGP SIGNATURE-----
Reply sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility.
(Thu, 06 Jun 2013 18:51:21 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Jun 2013 18:51:21 GMT) (full text, mbox, link).
Message #17 received at 707329-close@bugs.debian.org (full text, mbox, reply):
Source: openvpn
Source-Version: 2.2.1-8+deb7u1
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 707329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 May 2013 11:33:07 +0000
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.2.1-8+deb7u1
Distribution: wheezy
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
openvpn - virtual private network daemon
Closes: 707329
Changes:
openvpn (2.2.1-8+deb7u1) wheezy; urgency=low
.
* Applied upstream patch to fix use of non-constant-time memcmp
in HMAC comparison. CVE-2013-2061. (Closes: #707329)
Checksums-Sha1:
c55c3e2ab0d5bf5c92db6a015db53f9865b37806 1808 openvpn_2.2.1-8+deb7u1.dsc
d5a8e9c635aa330eae8e66e1ccbe2b98e4c3047b 911472 openvpn_2.2.1.orig.tar.gz
52676dec1af811fcc38a317cc98d37b23b261276 124311 openvpn_2.2.1-8+deb7u1.debian.tar.gz
fbe7c9fcbe42de5dfbec80d63d112dc792bcfe01 503090 openvpn_2.2.1-8+deb7u1_amd64.deb
Checksums-Sha256:
21a58d738c27992729e3085252687ce2e47bc282b5e2e82c8e99671856aaf11c 1808 openvpn_2.2.1-8+deb7u1.dsc
a860858cc92d4573399bb2ff17ac62d9b4b8939e6af0b8cc69150ba39d6e94e0 911472 openvpn_2.2.1.orig.tar.gz
af448b9f700fbcd3c7d65b5300846f5c52ecf0026a7e1e63f994a029a8018bf5 124311 openvpn_2.2.1-8+deb7u1.debian.tar.gz
44464583141463912687dd8993ec2bf190e70b6736fad7e0a73c9b7670836add 503090 openvpn_2.2.1-8+deb7u1_amd64.deb
Files:
6904b10beed6f9d298dddc9ac26c669d 1808 net optional openvpn_2.2.1-8+deb7u1.dsc
500bee5449b29906150569aaf2eb2730 911472 net optional openvpn_2.2.1.orig.tar.gz
9b975091230250ce8a04692288bcdada 124311 net optional openvpn_2.2.1-8+deb7u1.debian.tar.gz
241b6d9ee29905f8c3dc5c2d22d9cfe9 503090 net optional openvpn_2.2.1-8+deb7u1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRsLIXAAoJEACbM3VrmqpVDOUP/3BXVlDziZyLZHZKgYvfv9Y1
QJ3tUSvcoof4EQORTvi8hPVX7yw/FwpjHV6EkkeZ3USAmlxryoLXeAwqgfRH7Ohm
Gs1/3PIFkIIYmRi4dtaWQqW25sV4dFPWAwnXGpHxnKsbPQEM+txdBQ7xkdO7vCBF
YC5kbivGL49TY8Bjp6FE187nixfxlVhHwyEik0F9CgeVuseC9/mZt4hysWHLFpgv
RYMXxFpf5Fv60AIzQHY5HelfCFDettOWbrgNuYjWFAiZkR59WB4+8o/l39kYRuaO
+E6raNGBn3JIvL6m+AImDIDNcAzFx5Ys6ayqRZb5FrVTJAJMPbKKEpK7TEgmTwtf
alxxq1lXBflCUYy3Yc6iN/+uXgN7nsxTpdpQqzebfaIlhDCaJgOS8+x7uV8zAb/p
z/v6pORhKfyVjj/LEyklhs4/1NPrKL46BnYx9ZyQnsdxdpI7WPpsL5NZNGI440/H
zsl2DDPz5snxm2IpDtCMoIscLBK8wAHU2wndzdmEzuH4ZF+gpl3TNlriHtNhzh8o
BAo5ys+PlaDPkAZ6Eix+wMV2pmxmsnEufRZm/8bv8ETRyOCeOtHLJvSZ0RHrdPFm
Pc12UdCo8G/5Bav6tkqnacDmhy4CLdpE7QtJxECq9Y+ExmKD1pMoiz1K19S4YcSE
/rC+bQr9T26vU+hv4xHM
=Mh+K
-----END PGP SIGNATURE-----
Reply sent
to Alberto Gonzalez Iniesta <agi@inittab.org>:
You have taken responsibility.
(Thu, 06 Jun 2013 19:36:38 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 06 Jun 2013 19:36:38 GMT) (full text, mbox, link).
Message #22 received at 707329-close@bugs.debian.org (full text, mbox, reply):
Source: openvpn
Source-Version: 2.1.3-2+squeeze2
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 707329@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 17 May 2013 11:16:48 +0000
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.1.3-2+squeeze2
Distribution: squeeze
Urgency: low
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
openvpn - virtual private network daemon
Closes: 707329
Changes:
openvpn (2.1.3-2+squeeze2) squeeze; urgency=low
.
* Applied upstream patch to fix use of non-constant-time memcmp
in HMAC comparison. CVE-2013-2061. (Closes: #707329)
Checksums-Sha1:
573a10f53ac75c6d3f9127e2018216d7a6dc3b1f 1742 openvpn_2.1.3-2+squeeze2.dsc
91058e78c58c2e66298c7132bea1ddba52baaa82 860672 openvpn_2.1.3.orig.tar.gz
952622e66e0604c5f74d4d5367c23426c6d39da8 114276 openvpn_2.1.3-2+squeeze2.debian.tar.gz
35c13fef4b43fbef0dbc4f74e0a60aa1d9b33f86 458220 openvpn_2.1.3-2+squeeze2_amd64.deb
Checksums-Sha256:
2ac4f9b406af473329406db8ca007dbb16320860d474c0ccb0cd474a446cd0d5 1742 openvpn_2.1.3-2+squeeze2.dsc
5185181df2e6043bd667377bc92e36ea5a5bd7600af209654f109b6403ca5b36 860672 openvpn_2.1.3.orig.tar.gz
be095e65ceda1a0a6d530d25f00bf77f3a7a6f1ec0546bcdc4f7a872f7dd3a02 114276 openvpn_2.1.3-2+squeeze2.debian.tar.gz
30df4127317f2cb1ab972da86ea7e83e81c63d3722a33cbb9361db1736b1dde9 458220 openvpn_2.1.3-2+squeeze2_amd64.deb
Files:
1ba1c560ecb50c2e0ec8c41614885b4e 1742 net optional openvpn_2.1.3-2+squeeze2.dsc
7486d3e270ba4b033e311d3e022a0ad7 860672 net optional openvpn_2.1.3.orig.tar.gz
21e09e3d7bf9c2eb99c71eba86979fbf 114276 net optional openvpn_2.1.3-2+squeeze2.debian.tar.gz
f8b782af936fb5457ada9ff8f552a63d 458220 net optional openvpn_2.1.3-2+squeeze2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJRsJ1IAAoJEACbM3VrmqpVz6UP+wVfZmQ/yhmC5UsKoIJPB/DF
4NOhaO2fVXtC2/zQeqXmWYlDEYvM8Z5RgUUwCBJXFCFjHq8+2zHd4vAC5T5II8AV
GYnjm6/OqOoOurP2gDcD1aFHAoz3+sD5KEgIUP2h4ZHg00azqVBBcL3NfaxJ4XCQ
Ab/1J0mzuF+FohaM+3M1bvmJe708Lx9f0OwuGGEBXp4Dl1yZzWAdKIoSknxqHgoi
64aVtfcJNFsITTBfUawLkhZGF0Kh4+iZ5XMVU31M7+tB/L/5eFze9okrUr2Sg6O+
ce5p9BK+NTBA8cM7IPwZZ56b9h9mYBEALFnPBwiPbciviQJvf1ZIexzF0gmpqZG2
MyaDYz2PwUZJtWzVcYppgFB/06p1G55VNGyO4faoZMaDno0hqTAgEInLjy5gHWmy
2luhlgNeNw+XyHyXGA7dQa2EZJyEpQoXE92W34RRFcE2RYugeu5/sjYAog50PYCs
FxwpwbfAwDLqQy1pQwcqMf6eXFEe1Qa/tPDh5fyjkioMzvX6oqBH+994UuLNZHi6
7LkBAPtm5FmL2NPWkJMyFRiiOo2wONmxGgLbnFUbY4kl23AxJvfSHrVbqOFgw8zp
o3XDCIeKmXcMEdN3C3qb2EHMiAxxi6P5VKNYa2ypbZ9MxlBX3B0fWu9EGHI0Tmse
H2c4fCulncz9J4rV01Wf
=PzUh
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 05 Jul 2013 07:28:10 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:27:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon