Date: Wed, 21 Jun 2017 13:19:30 +0200 From: Guido Vranken <guidovranken@...il.com> To: Solar Designer <solar@...nwall.com> Cc: oss-security@...ts.openwall.com Subject: Re: 4 remote vulnerabilities in OpenVPN Thank you! I will take this into account next time. Guido On Wed, Jun 21, 2017 at 1:17 PM, Solar Designer <solar@...nwall.com> wrote: > On Wed, Jun 21, 2017 at 12:40:57PM +0200, Guido Vranken wrote: >> An extensive effort to find security vulnerabilities in OpenVPN has >> resulted in 4 vulnerabilities of such severity that they have been >> kept under embargo until today. >> Interestingly, this comes shortly after the results of two source code >> audits were released, which both failed to detect these problems. >> The worst vulnerability of the 4 allows a client the drain the >> server's memory, which, due to a particular technical circumstance, >> may be exploited to achieve remote code execution. >> >> An extensive write-up can be found here: >> https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/ >> . A technical explanation for every vulnerability is provided, and I >> ponder the efficacy of source code audits. > > That's very cool, but we have a policy here to include actual > vulnerability detail in the list postings. Your blog might be gone in > some years, but hopefully some oss-security archives will stay around. > > http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines > > "At least the most essential part of your message (e.g., vulnerability > detail and/or exploit) should be directly included in the message itself > (and in plain text), rather than only included by reference to an > external resource. Posting links to relevant external resources as well > is acceptable, but posting only links is not. Your message should remain > valuable even with all of the external resources gone." > > I've attached a text/plain export of your blog post to this message. > > Alexander
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ