Changes between Version 6 and Version 7 of VulnerabilitiesFixedInOpenSSL1.0.1i


Ignore:
Timestamp:
08/07/14 20:02:39 (5 years ago)
Author:
Steffan Karger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • VulnerabilitiesFixedInOpenSSL1.0.1i

    v6 v7  
    1616||SRP buffer overrun||CVE-2014-3512||No. OpenVPN does not use SRP.||
    1717
    18 [1] This one triggers no direct vulnerability in OpenVPN. Stack information is not leaked to the peer. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if the leaked information is after a NUL-byte, it's probably not even exported). Such a plugin/script could then leak the information to the attacker.
     18[1] This one triggers no direct vulnerability in OpenVPN. Leaked information is not sent to peers by OpenVPN. It might be possible that the leaked information is passed on to a client script / plugin (not sure what form the leaked information has, if the leaked information is after a NUL-byte, it's probably not even exported). Such a plugin/script could then leak the information to the attacker.
    1919
    2020[2] If you are using OpenVPN 2.3.3 or OpenVPN 2.3.4 and have enabled newer TLS versions by using option tls-version-min in your configuration, your configuration is vulnerable to the protocol downgrade attack. However, it will still be at least as secure as a setup without tls-version-min in its configuration.