Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAO5O-EJqSUT8PcMzEjDF8k8CwxsyHqVSEYbku3HaAhvvKjgCbQ@mail.gmail.com>
Date: Wed, 21 Jun 2017 12:40:57 +0200
From: Guido Vranken <guidovranken@...il.com>
To: oss-security@...ts.openwall.com
Subject: 4 remote vulnerabilities in OpenVPN

An extensive effort to find security vulnerabilities in OpenVPN has
resulted in 4 vulnerabilities of such severity that they have been
kept under embargo until today.
Interestingly, this comes shortly after the results of two source code
audits were released, which both failed to detect these problems.
The worst vulnerability of the 4 allows a client the drain the
server's memory, which, due to a particular technical circumstance,
may be exploited to achieve remote code execution.

An extensive write-up can be found here:
https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
. A technical explanation for every vulnerability is provided, and I
ponder the efficacy of source code audits.

Guido

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.