Bug 19251

Summary: openvpn new security issue CVE-2016-6329
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/698339/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: openvpn-2.3.11-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-08-26 19:46:53 CEST 
Fedora has issued an advisory today (August 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IIPSFOGSRZ5PCY7HRYCDJADE4DTIBMML/

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated openvpn packages fix security vulnerability:

Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to
birthday attack when key renegotiation doesn't happen frequently or at all in
long running connections. Blowfish cipher as used in OpenVPN by default is
vulnerable to this attack, that allows remote attacker to recover partial
plaintext information (XOR of two plaintext blocks) (CVE-2016-6329).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6329
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IIPSFOGSRZ5PCY7HRYCDJADE4DTIBMML/
========================

Updated packages in core/updates_testing:
========================
openvpn-2.3.12-1.mga5
libopenvpn-devel-2.3.12-1.mga5

from openvpn-2.3.12-1.mga5.src.rpm
Comment 1 David Walser 2016-08-26 19:47:07 CEST 
Testing ideas in Bug 17418.

Whiteboard: (none) => has_procedure

Comment 2 Dave Hodgins 2016-09-07 03:40:58 CEST 
Tested using procedure from bug 10125

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure advisory MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2016-09-16 11:28:10 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0304.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED