Hi, On Sat, May 14, 2016 at 10:50:23AM +0200, Matthias Andree wrote: > Am 10.05.2016 um 12:06 schrieb Samuli Seppänen: > > The OpenVPN community project team is proud to release OpenVPN 2.3.11. > > It can be downloaded from here: > > > > <http://openvpn.net/index.php/open-source/downloads.html> > > > > This release fixes two vulnerabilities: a port-share bug with DoS > > potential and a buffer overflow by user supplied data when using pam > > authentication. In addition a number of small fixes and improvements are > > included. A full list of changes is available here: > > > > <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23> > > I was wondering... do we have CVE references or similar unique > identifiers, which I could then use - for instance - in the FreeBSD > vulnerability database?
Not for these two - these sound scary, but are really edge cases that are very unlikely to be a problem for most users in practice. So we didn't go out and fetch a CVS number - maybe we should have, but we're still learning. And we need more people to do the routine chores, like, "organize proper handling of possibly security relevant patches"... After release, I saw a note about Fedora issueing updates, which referenced "OPENVPN-2311-1" and "OPENVPN-2311-2" - though I'm not sure if these are Fedora-assigned or DFN-CERT... https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/ gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
signature.asc
Description: PGP signature
