Bug 14714 - openvpn new security issue CVE-2014-8104
Summary: openvpn new security issue CVE-2014-8104
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/624076/
Whiteboard: has_procedure advisory mga4-32-ok MGA...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-12-02 20:06 CET by David Walser
Modified: 2014-12-05 17:59 CET (History)
2 users (show)

See Also:
Source RPM: openvpn-2.3.2-3.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-12-02 20:06:06 CET
Debian and Ubuntu have issued advisories on December 1 and December 2:
https://www.debian.org/security/2014/dsa-3084
http://www.ubuntu.com/usn/usn-2430-1/

Patched packages uploaded for Mageia 4 and Cauldron.

We previously updated this in Bug 10125, you may find some helpful information for testing it there.

Advisory:
========================

Updated openvpn packages fix security vulnerability:

Dragana Damjanovic discovered that OpenVPN incorrectly handled certain control
channel packets. An authenticated attacker could use this issue to cause an
OpenVPN server to crash, resulting in a denial of service (CVE-2014-8104).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8104
http://www.ubuntu.com/usn/usn-2430-1/
========================

Updated packages in core/updates_testing:
========================
openvpn-2.3.2-3.1.mga4
libopenvpn-devel-2.3.2-3.1.mga4

from openvpn-2.3.2-3.1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 claire robinson 2014-12-02 21:31:45 CET
Advisory uploaded.

Whiteboard: (none) => has_procedure advisory

Comment 2 David Walser 2014-12-03 16:51:04 CET
Upstream advisory:
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
Comment 3 Herman Viaene 2014-12-05 11:38:28 CET
Testing MGA4-64 on HP Probook 6555b
Installed without problems.
After copying the sample server.conf and key files from /usr/share/openvpn to /etc/openvpn, I could execute successfully 
systemctl restart openvpn@server.service
and 
systemctl status openvpn@server.service
gave me the same info as in bug 10125 comment 8
ps -aux and netstat show vpn running
However, trying to run client gives an error "certificate has expired" (unknown territory for me)
but I can ping 10.8.0.1 (my own internal network being on 192.168.x.x)
So, AFAICS it seems OK

CC: (none) => herman.viaene
Whiteboard: has_procedure advisory => has_procedure advisory MGA4-64-OK

Comment 4 claire robinson 2014-12-05 17:18:49 CET
Testing mga4 32

I get the same results as Herman. Without regenerating all the certificates, which doesn't seem straightforward to do, I think this shows it is working ok.

Validating.

Please push to updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory MGA4-64-OK => has_procedure advisory mga4-32-ok MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2014-12-05 17:59:57 CET
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0512.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.