On 16/05/16 14:03, Gert Doering wrote:
> Hi,
>
> On Sat, May 14, 2016 at 10:50:23AM +0200, Matthias Andree wrote:
>> Am 10.05.2016 um 12:06 schrieb Samuli Seppänen:
>>> The OpenVPN community project team is proud to release OpenVPN 2.3.11.
>>> It can be downloaded from here:
>>>
>>> <http://openvpn.net/index.php/open-source/downloads.html>
>>>
>>> This release fixes two vulnerabilities: a port-share bug with DoS
>>> potential and a buffer overflow by user supplied data when using pam
>>> authentication. In addition a number of small fixes and improvements are
>>> included. A full list of changes is available here:
>>>
>>> <https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23>
>>
>> I was wondering... do we have CVE references or similar unique
>> identifiers, which I could then use - for instance - in the FreeBSD
>> vulnerability database?
>
> Not for these two - these sound scary, but are really edge cases that
> are very unlikely to be a problem for most users in practice. So we
> didn't go out and fetch a CVS number - maybe we should have, but we're
> still learning. And we need more people to do the routine chores, like,
> "organize proper handling of possibly security relevant patches"...
>
> After release, I saw a note about Fedora issueing updates, which referenced
> "OPENVPN-2311-1" and "OPENVPN-2311-2" - though I'm not sure if these are
> Fedora-assigned or DFN-CERT...
>
> https://portal.cert.dfn.de/adv/DFN-CERT-2016-0739/
AFAIK, those OPENVPN-2311-{1,2} numbers are created by dfn.de. I've
never heard, noticed or seen any traces of Fedora nor Red Hat requesting
any CVE numbers for these specific issues.
In hindsight I agree that we probably should have at least considered
asking for a CVE numbers in these cases.
--
kind regards,
David Sommerseth
