aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMatthias Andree <mandree@FreeBSD.org>2025-01-17 01:38:45 +0000
committerMatthias Andree <mandree@FreeBSD.org>2025-01-17 01:40:05 +0000
commita07b2a9949f31cae273911b6bfece31afd162454 (patch)
treefec6ff766d225a382033ff27a68535e613c22fa4
parent5d9eb9407b356d89a007061589e064cfbebf6b4e (diff)
security/vuxml: mention security/openvpn username/password length bugfix of v2.6.13
I am not aware of a CVE number yet. Security: 47bc292a-d472-11ef-aaab-7d43732cb6f5
-rw-r--r--security/vuxml/vuln/2025.xml29
1 files changed, 29 insertions, 0 deletions
diff --git a/security/vuxml/vuln/2025.xml b/security/vuxml/vuln/2025.xml
index 6a27a246869e..ad0fba1ec554 100644
--- a/security/vuxml/vuln/2025.xml
+++ b/security/vuxml/vuln/2025.xml
@@ -1,3 +1,32 @@
+ <vuln vid="47bc292a-d472-11ef-aaab-7d43732cb6f5">
+ <topic>openvpn -- too long a username or password from a client can confuse openvpn servers</topic>
+ <affects>
+ <package>
+ <name>openvpn</name>
+ <range><lt>2.6.13</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Frank Lichtenheld reports:</p>
+ <blockquote cite="https://github.com/OpenVPN/openvpn/releases/tag/v2.6.13">
+ <p>[OpenVPN v2.6.13 ...] improve server-side handling of clients sending
+ usernames or passwords longer than USER_PASS_LEN - this would not
+ result in a crash, buffer overflow or other security issues, but the
+ server would then misparse incoming IV variables and produce misleading
+ error messages.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://github.com/OpenVPN/openvpn/releases/tag/v2.6.13</url>
+ </references>
+ <dates>
+ <discovery>2024-10-28</discovery>
+ <entry>2025-01-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="163edccf-d2ba-11ef-b10e-589cfc10a551">
<topic>rsync -- Multiple security fixes</topic>
<affects>