Univention Bugzilla – Bug 31347
openvpn: Insecure HMAC comparison (3.1)
Last modified: 2013-11-19 06:43:07 CET
+++ This bug was initially created as a clone of Bug #31346 +++ +++ This bug was initially created as a clone of Bug #31345 +++ CVE-2013-2061 An information leak in the implementation of HMAC comparisons can allow a chosen ciphertext attack. This is currently only known to be exploitable with PolarSSL (which isn't used in UCS) and generally only exploitable with an attacker being the man-in-the-middle. More information in the upstream announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
Fixed in 3.2 through the import of Debian 6.0.8. The QA should ideally be made by the same person as for Bug 31956.
(In reply to Moritz Muehlenhoff from comment #1) > Fixed in 3.2 through the import of Debian 6.0.8. Correct.
UCS 3.2 has been released: http://docs.univention.de/release-notes-3.2-en.html http://docs.univention.de/release-notes-3.2-de.html If this error occurs again, please use "Clone This Bug".