Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 21 Jun 2017 13:19:30 +0200
From: Guido Vranken <>
To: Solar Designer <>
Subject: Re: 4 remote vulnerabilities in OpenVPN

Thank you! I will take this into account next time.


On Wed, Jun 21, 2017 at 1:17 PM, Solar Designer <> wrote:
> On Wed, Jun 21, 2017 at 12:40:57PM +0200, Guido Vranken wrote:
>> An extensive effort to find security vulnerabilities in OpenVPN has
>> resulted in 4 vulnerabilities of such severity that they have been
>> kept under embargo until today.
>> Interestingly, this comes shortly after the results of two source code
>> audits were released, which both failed to detect these problems.
>> The worst vulnerability of the 4 allows a client the drain the
>> server's memory, which, due to a particular technical circumstance,
>> may be exploited to achieve remote code execution.
>> An extensive write-up can be found here:
>> . A technical explanation for every vulnerability is provided, and I
>> ponder the efficacy of source code audits.
> That's very cool, but we have a policy here to include actual
> vulnerability detail in the list postings.  Your blog might be gone in
> some years, but hopefully some oss-security archives will stay around.
> "At least the most essential part of your message (e.g., vulnerability
> detail and/or exploit) should be directly included in the message itself
> (and in plain text), rather than only included by reference to an
> external resource.  Posting links to relevant external resources as well
> is acceptable, but posting only links is not.  Your message should remain
> valuable even with all of the external resources gone."
> I've attached a text/plain export of your blog post to this message.
> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ