FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

Revision:  517704
Date:      2019-11-15
Time:      22:46:16Z
Committer: naddy

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
92f30415-9935-11e2-ad4c-080027ef73ecOpenVPN -- potential side-channel/timing attack when comparing HMACs

The OpenVPN project reports:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function.


Discovery 2013-03-19
Entry 2013-03-31
Modified 2013-06-01
openvpn
lt 2.0.9_4

ge 2.1.0 lt 2.2.2_2

ge 2.3.0 lt 2.3.1

https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
CVE-2013-2061
http://www.openwall.com/lists/oss-security/2013/05/06/6
https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee
3dd6ccf4-a3c6-11e7-a52e-0800279f2ff8OpenVPN -- out-of-bounds write in legacy key-method 1

Steffan Karger reports:

The bounds check in read_key() was performed after using the value, instead of before. If 'key-method 1' is used, this allowed an attacker to send a malformed packet to trigger a stack buffer overflow. [...]

Note that 'key-method 1' has been replaced by 'key method 2' as the default in OpenVPN 2.0 (released on 2005-04-17), and explicitly deprecated in 2.4 and marked for removal in 2.5. This should limit the amount of users impacted by this issue.


Discovery 2017-09-21
Entry 2017-09-27
openvpn-polarssl
lt 2.3.18

openvpn-mbedtls
ge 2.4.0 lt 2.4.4

openvpn
ge 2.4.0 lt 2.4.4

lt 2.3.18

https://community.openvpn.net/openvpn/wiki/CVE-2017-12166
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg15492.html
CVE-2017-12166
6129fdc7-6462-456d-a3ef-8fc3fbf44d16openvpn -- arbitrary code execution on client through malicious or compromised server

James Yonan reports:

A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79).


Discovery 2005-10-31
Entry 2005-11-01
Modified 2005-11-04
openvpn
ge 2.0 lt 2.0.4

CVE-2005-3393
http://www.securityfocus.com/archive/1/415293/30/0/threaded
http://openvpn.net/changelog.html
0dc8be9e-19af-11e6-8de0-080027ef73ecOpenVPN -- Buffer overflow in PAM authentication and DoS through port sharing

Samuli Seppänen reports:

OpenVPN 2.3.11 [...] fixes two vulnerabilities: a port-share bug with DoS potential and a buffer overflow by user supplied data when using pam authentication.[...]


Discovery 2016-03-03
Entry 2016-05-14
openvpn
lt 2.3.11

openvpn-polarssl
lt 2.3.11

https://sourceforge.net/p/openvpn/mailman/message/35076507/
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23#OpenVPN2.3.11
23ab5c3e-79c3-11e4-8b1e-d050992ecde8OpenVPN -- denial of service security vulnerability

The OpenVPN project reports:

In late November 2014 Dragana Damjanovic notified OpenVPN developers of a critical denial of service security vulnerability (CVE-2014-8104). The vulnerability allows an tls-authenticated client to crash the server by sending a too-short control channel packet to the server. In other words this vulnerability is denial of service only.


Discovery 2014-12-01
Entry 2014-12-02
openvpn
lt 2.0.11

ge 2.1.0 lt 2.2.3

ge 2.3.0 lt 2.3.6

CVE-2014-8104
https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-97597e732b
6129fdc7-6462-456d-a3ef-8fc3fbf44d16openvpn -- arbitrary code execution on client through malicious or compromised server

James Yonan reports:

A format string vulnerability in the foreign_option function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if (a) the client's TLS negotiation with the server succeeds, (b) the server is malicious or has been compromised such that it is configured to push a maliciously crafted options string to the client, and (c) the client indicates its willingness to accept pushed options from the server by having "pull" or "client" in its configuration file (Credit: Vade79).


Discovery 2005-10-31
Entry 2005-11-01
Modified 2005-11-04
openvpn
ge 2.0 lt 2.0.4

CVE-2005-3393
http://www.securityfocus.com/archive/1/415293/30/0/threaded
http://openvpn.net/changelog.html
be4ccb7b-c48b-11da-ae12-0002b3b60e4copenvpn -- LD_PRELOAD code execution on client through malicious or compromised server

Hendrik Weimer reports:

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.


Discovery 2006-04-03
Entry 2006-04-05
Modified 2006-04-06
openvpn
ge 2.0 lt 2.0.6

CVE-2006-1629
http://www.osreviews.net/reviews/security/openvpn-print
http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/message.php?msg_id=15298074
3de49331-0dec-422c-93e5-e4719e9869c5openvpn -- potential denial-of-service on servers in TCP mode

James Yonan reports:

If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions.


Discovery 2005-11-01
Entry 2005-11-01
Modified 2005-11-04
openvpn
ge 2.0 lt 2.0.4

CVE-2005-3409
http://openvpn.net/changelog.html
3de49331-0dec-422c-93e5-e4719e9869c5openvpn -- potential denial-of-service on servers in TCP mode

James Yonan reports:

If the TCP server accept() call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions.


Discovery 2005-11-01
Entry 2005-11-01
Modified 2005-11-04
openvpn
ge 2.0 lt 2.0.4

CVE-2005-3409
http://openvpn.net/changelog.html
be4ccb7b-c48b-11da-ae12-0002b3b60e4copenvpn -- LD_PRELOAD code execution on client through malicious or compromised server

Hendrik Weimer reports:

OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.


Discovery 2006-04-03
Entry 2006-04-05
Modified 2006-04-06
openvpn
ge 2.0 lt 2.0.6

CVE-2006-1629
http://www.osreviews.net/reviews/security/openvpn-print
http://openvpn.net/changelog.html
http://sourceforge.net/mailarchive/message.php?msg_id=15298074
04cc7bd2-3686-11e7-aa64-080027ef73ecOpenVPN -- two remote denial-of-service vulnerabilities

Samuli Seppänen reports:

OpenVPN v2.4.0 was audited for security vulnerabilities independently by Quarkslabs (funded by OSTIF) and Cryptography Engineering (funded by Private Internet Access) between December 2016 and April 2017. The primary findings were two remote denial-of-service vulnerabilities. Fixes to them have been backported to v2.3.15.

An authenticated client can do the 'three way handshake' (P_HARD_RESET, P_HARD_RESET, P_CONTROL), where the P_CONTROL packet is the first that is allowed to carry payload. If that payload is too big, the OpenVPN server process will stop running due to an ASSERT() exception. That is also the reason why servers using tls-auth/tls-crypt are protected against this attack - the P_CONTROL packet is only accepted if it contains the session ID we specified, with a valid HMAC (challenge-response). (CVE-2017-7478)

An authenticated client can cause the server's the packet-id counter to roll over, which would lead the server process to hit an ASSERT() and stop running. To make the server hit the ASSERT(), the client must first cause the server to send it 2^32 packets (at least 196 GB).


Discovery 2017-05-10
Entry 2017-05-11
openvpn
lt 2.3.15

ge 2.4.0 lt 2.4.2

openvpn23
lt 2.3.15

openvpn-mbedtls
ge 2.4.0 lt 2.4.2

openvpn-polarssl
lt 2.3.15

openvpn23-polarssl
lt 2.3.15

https://openvpn.net/index.php/open-source/downloads.html
CVE-2017-7478
CVE-2017-7479
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
https://ostif.org/?p=870&preview=true
https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-2-fixes-critical-issues-discovered-openvpn-audit-reports/
9f65d382-56a4-11e7-83e3-080027ef73ecOpenVPN -- several vulnerabilities

Samuli Seppänen reports:

In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the process he found several vulnerabilities and reported them to the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.

This is a list of fixed important vulnerabilities:

  • Remotely-triggerable ASSERT() on malformed IPv6 packet
  • Pre-authentication remote crash/information disclosure for clients
  • Potential double-free in --x509-alt-username
  • Remote-triggerable memory leaks
  • Post-authentication remote DoS when using the --x509-track option
  • Null-pointer dereference in establish_http_proxy_passthru()

Discovery 2017-05-19
Entry 2017-06-21
openvpn
lt 2.3.17

ge 2.4.0 lt 2.4.3

openvpn-mbedtls
lt 2.4.3

openvpn-polarssl
lt 2.3.17

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
CVE-2017-7508
CVE-2017-7512
CVE-2017-7520
CVE-2017-7521
CVE-2017-7522