Univention Bugzilla – Bug 31345
openvpn: Insecure HMAC comparison (2.4)
Last modified: 2019-04-11 19:24:13 CEST
CVE-2013-2061 An information leak in the implementation of HMAC comparisons can allow a chosen ciphertext attack. This is currently only known to be exploitable with PolarSSL (which isn't used in UCS) and generally only exploitable with an attacker being the man-in-the-middle. More information in the upstream announcement: https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
The maintenance with bug and security fixes for UCS 2.4-x has ended on the 31st of December 2013. Customers still on UCS 2.4-x are encouraged to update to UCS 3.x. Please contact your partner or Univention for any questions.