Univention Bugzilla – Bug 31346
openvpn: Insecure HMAC comparison (3.0)
Last modified: 2019-04-11 19:23:42 CEST
+++ This bug was initially created as a clone of Bug #31345 +++ CVE-2013-2061 An information leak in the implementation of HMAC comparisons can allow a chosen ciphertext attack. This is currently only known to be exploitable with PolarSSL (which isn't used in UCS) and generally only exploitable with an attacker being the man-in-the-middle. More information in the upstream announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
The maintenance with bug and security fixes for UCS 3.0-x has ended on 30th June 2013. The maintenance of the UCS 3.x major series is continued by UCS 3.1-x that is supplied with bug and security fixes. Customers still on UCS 3.0-x are encouraged to update to UCS 3.1 that contains, among other things, Linux Kernel 3.2, Univention App Center, an update of Samba 3 and Samba 4, support for Microsoft Windows 2012 and Windows 8. Please contact your partner or Univention for any questions.