Bug 14714

Summary: openvpn new security issue CVE-2014-8104
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624076/
Whiteboard: has_procedure advisory mga4-32-ok MGA4-64-OK
Source RPM: openvpn-2.3.2-3.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-02 20:06:06 CET 
Debian and Ubuntu have issued advisories on December 1 and December 2:
https://www.debian.org/security/2014/dsa-3084
http://www.ubuntu.com/usn/usn-2430-1/

Patched packages uploaded for Mageia 4 and Cauldron.

We previously updated this in Bug 10125, you may find some helpful information for testing it there.

Advisory:
========================

Updated openvpn packages fix security vulnerability:

Dragana Damjanovic discovered that OpenVPN incorrectly handled certain control
channel packets. An authenticated attacker could use this issue to cause an
OpenVPN server to crash, resulting in a denial of service (CVE-2014-8104).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
http://www.ubuntu.com/usn/usn-2430-1/
========================

Updated packages in core/updates_testing:
========================
openvpn-2.3.2-3.1.mga4
libopenvpn-devel-2.3.2-3.1.mga4

from openvpn-2.3.2-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-12-02 21:31:45 CET 
Advisory uploaded.

Whiteboard: (none) => has_procedure advisory

Comment 2 David Walser 2014-12-03 16:51:04 CET 
Upstream advisory:
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
Comment 3 Herman Viaene 2014-12-05 11:38:28 CET 
Testing MGA4-64 on HP Probook 6555b
Installed without problems.
After copying the sample server.conf and key files from /usr/share/openvpn to /etc/openvpn, I could execute successfully 
systemctl restart openvpn@server.service
and 
systemctl status openvpn@server.service
gave me the same info as in bug 10125 comment 8
ps -aux and netstat show vpn running
However, trying to run client gives an error "certificate has expired" (unknown territory for me)
but I can ping 10.8.0.1 (my own internal network being on 192.168.x.x)
So, AFAICS it seems OK

CC: (none) => herman.viaene
Whiteboard: has_procedure advisory => has_procedure advisory MGA4-64-OK

Comment 4 claire robinson 2014-12-05 17:18:49 CET 
Testing mga4 32

I get the same results as Herman. Without regenerating all the certificates, which doesn't seem straightforward to do, I think this shows it is working ok.

Validating.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-05 17:59:57 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0512.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED