CVE-2013-2061
Published: 17 November 2013
The openvpn_decrypt function in crypto.c in OpenVPN 2.3.0 and earlier, when running in UDP mode, allows remote attackers to obtain sensitive information via a timing attack involving an HMAC comparison function that does not run in constant time and a padding oracle attack on the CBC mode cipher.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
openvpn Launchpad, Ubuntu, Debian |
hardy |
Ignored
(reached end-of-life)
|
| lucid |
Ignored
(reached end-of-life)
|
|
| oneiric |
Ignored
(reached end-of-life)
|
|
| precise |
Released
(2.2.1-8ubuntu1.3)
|
|
| quantal |
Ignored
(reached end-of-life)
|
|
| raring |
Ignored
(reached end-of-life)
|
|
| saucy |
Not vulnerable
(2.3.1-2ubuntu1)
|
|
| trusty |
Not vulnerable
(2.3.1-2ubuntu1)
|
|
| upstream |
Released
(2.3.1)
|
|
|
Patches: upstream: https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee |
||