Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 21 Jun 2017 13:19:30 +0200
From: Guido Vranken <guidovranken@...il.com>
To: Solar Designer <solar@...nwall.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: 4 remote vulnerabilities in OpenVPN

Thank you! I will take this into account next time.

Guido

On Wed, Jun 21, 2017 at 1:17 PM, Solar Designer <solar@...nwall.com> wrote:
> On Wed, Jun 21, 2017 at 12:40:57PM +0200, Guido Vranken wrote:
>> An extensive effort to find security vulnerabilities in OpenVPN has
>> resulted in 4 vulnerabilities of such severity that they have been
>> kept under embargo until today.
>> Interestingly, this comes shortly after the results of two source code
>> audits were released, which both failed to detect these problems.
>> The worst vulnerability of the 4 allows a client the drain the
>> server's memory, which, due to a particular technical circumstance,
>> may be exploited to achieve remote code execution.
>>
>> An extensive write-up can be found here:
>> https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
>> . A technical explanation for every vulnerability is provided, and I
>> ponder the efficacy of source code audits.
>
> That's very cool, but we have a policy here to include actual
> vulnerability detail in the list postings.  Your blog might be gone in
> some years, but hopefully some oss-security archives will stay around.
>
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines
>
> "At least the most essential part of your message (e.g., vulnerability
> detail and/or exploit) should be directly included in the message itself
> (and in plain text), rather than only included by reference to an
> external resource.  Posting links to relevant external resources as well
> is acceptable, but posting only links is not.  Your message should remain
> valuable even with all of the external resources gone."
>
> I've attached a text/plain export of your blog post to this message.
>
> Alexander

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ