FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2025-06-26 16:42:54 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID	Description
47bc292a-d472-11ef-aaab-7d43732cb6f5	openvpn -- too long a username or password from a client can confuse openvpn servers Frank Lichtenheld reports: [OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages. Discovery 2024-10-28 Entry 2025-01-17 openvpn < 2.6.13 https://github.com/OpenVPN/openvpn/releases/tag/v2.6.13
2cad4541-0f5b-11f0-89f8-411aefea0df9	openvpn -- server-side denial-of-service vulnerability with tls-crypt-v2 Gert Doering reports: OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets. To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key No crypto integrity is violated, no data is leaked, and no remote code execution is possible. This bug does not affect OpenVPN clients. Discovery 2025-03-26 Entry 2025-04-02 openvpn >= 2.6.1 lt 2.6.14 openvpn-devel < g20250402,1 CVE-2025-2704 https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst#overview-of-changes-in-2614

VuXML ID

Description

47bc292a-d472-11ef-aaab-7d43732cb6f5

openvpn -- too long a username or password from a client can confuse openvpn servers

Frank Lichtenheld reports:

[OpenVPN v2.6.13 ...] improve server-side handling of clients sending usernames or passwords longer than USER_PASS_LEN - this would not result in a crash, buffer overflow or other security issues, but the server would then misparse incoming IV variables and produce misleading error messages.

Discovery 2024-10-28
Entry 2025-01-17
openvpn

< 2.6.13

https://github.com/OpenVPN/openvpn/releases/tag/v2.6.13

2cad4541-0f5b-11f0-89f8-411aefea0df9

openvpn -- server-side denial-of-service vulnerability with tls-crypt-v2

Gert Doering reports:

OpenVPN servers between 2.6.1 and 2.6.13 using --tls-crypt-v2 can be made to abort with an ASSERT() message by sending a particular combination of authenticated and malformed packets.

To trigger the bug, a valid tls-crypt-v2 client key is needed, or network observation of a handshake with a valid tls-crypt-v2 client key

No crypto integrity is violated, no data is leaked, and no remote code execution is possible.

This bug does not affect OpenVPN clients.

Discovery 2025-03-26
Entry 2025-04-02
openvpn

>= 2.6.1 lt 2.6.14

openvpn-devel

< g20250402,1

CVE-2025-2704
https://github.com/OpenVPN/openvpn/blob/v2.6.14/Changes.rst#overview-of-changes-in-2614