Advisories » MGASA-2016-0304

Updated openvpn packages fix security vulnerability

Publication date: 16 Sep 2016
Modification date: 08 Sep 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-6329

Description

Ciphers with 64-bit block sizes used in CBC mode were found to be
vulnerable to birthday attack when key renegotiation doesn't happen
frequently or at all in long running connections. Blowfish cipher as used
in OpenVPN by default is vulnerable to this attack, that allows remote
attacker to recover partial plaintext information (XOR of two plaintext
blocks) (CVE-2016-6329).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19251
• https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/IIPSFOGSRZ5PCY7HRYCDJADE4DTIBMML/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6329

SRPMS

5/core

• openvpn-2.3.12-1.mga5