FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

OpenVPN -- potential side-channel/timing attack when comparing HMACs

Affected packages
openvpn < 2.0.9_4
2.1.0 <= openvpn < 2.2.2_2
2.3.0 <= openvpn < 2.3.1

Details

VuXML ID 92f30415-9935-11e2-ad4c-080027ef73ec
Discovery 2013-03-19
Entry 2013-03-31
Modified 2013-06-01

The OpenVPN project reports:

OpenVPN 2.3.0 and earlier running in UDP mode are subject to chosen ciphertext injection due to a non-constant-time HMAC comparison function.

References

CVE Name CVE-2013-2061
URL http://www.openwall.com/lists/oss-security/2013/05/06/6
URL https://community.openvpn.net/openvpn/wiki/SecurityAnnouncement-f375aa67cc
URL https://github.com/OpenVPN/openvpn/commit/11d21349a4e7e38a025849479b36ace7c2eec2ee