Your message dated Mon, 11 Aug 2008 18:02:04 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#493488: fixed in openvpn 2.1~rc9-1
has caused the Debian Bug report #493488,
regarding "CVE-2008-3459: Remote command execution"
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
493488: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493488
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: openvpn
Version: 2.1~rc8-1
Tags: security
Severity: grave
| * Security Fix -- affects non-Windows OpenVPN clients running
| OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT
| vulnerable nor are any versions of the OpenVPN server vulnerable).
| An OpenVPN client connecting to a malicious or compromised
| server could potentially receive an "lladdr" or "iproute"
| configuration directive from the server which could cause arbitrary
| code execution on the client. A successful attack requires that (a)
| the client has agreed to allow the server to push configuration
| directives to it by including "pull" or the macro "client" in its
| configuration file, (b) the client successfully authenticates the
| server, (c) the server is malicious or has been compromised and is
| under the control of the attacker, and (d) the client is running a
| non-Windows OS. Credit: David Wagner.
|
| * Miscellaneous defensive programming changes to multiple
| areas of the code. In particular, use of the system() call
| for calling executables such as ifconfig, route, and
| user-defined scripts has been completely revamped in favor
| of execve() on unix and CreateProcess() on Windows.
<http://openvpn.net/index.php/documentation/change-log/changelog-21.html>
CVE not yet known.
--- End Message ---
--- Begin Message ---
Source: openvpn
Source-Version: 2.1~rc9-1
We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive:
openvpn_2.1~rc9-1.diff.gz
to pool/main/o/openvpn/openvpn_2.1~rc9-1.diff.gz
openvpn_2.1~rc9-1.dsc
to pool/main/o/openvpn/openvpn_2.1~rc9-1.dsc
openvpn_2.1~rc9-1_i386.deb
to pool/main/o/openvpn/openvpn_2.1~rc9-1_i386.deb
openvpn_2.1~rc9.orig.tar.gz
to pool/main/o/openvpn/openvpn_2.1~rc9.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <[EMAIL PROTECTED]> (supplier of updated openvpn
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Mon, 11 Aug 2008 19:40:11 +0200
Source: openvpn
Binary: openvpn
Architecture: source i386
Version: 2.1~rc9-1
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Changed-By: Alberto Gonzalez Iniesta <[EMAIL PROTECTED]>
Description:
openvpn - virtual private network daemon
Closes: 493488
Changes:
openvpn (2.1~rc9-1) unstable; urgency=high
.
* New upstream version.
* Urgency high since it fixes a security bug in versions
2.1-beta14 to 2.1-rc8. CVE-2008-3459. (Closes: #493488)
* Added sample-scripts/ to examples directory.
* Thanks Tristan Hill for rewritten debian_openssl_vulnkeys.patch
Checksums-Sha1:
0b1cf212d7ecb91bd3aae9d79ed623c156f441c4 1055 openvpn_2.1~rc9-1.dsc
56b01fd9b2cdd8bd4c2257d91b9b879a6f9db1d8 818716 openvpn_2.1~rc9.orig.tar.gz
4a5650e24c5df8bfccd81ff5e31565dd5282daf4 80393 openvpn_2.1~rc9-1.diff.gz
f3f907851f171ce753fd96126d6d409a737eecbf 399642 openvpn_2.1~rc9-1_i386.deb
Checksums-Sha256:
eae94f704b161e37d9e2f2332a6af12ea16e039af468805e2ec71171d016136c 1055
openvpn_2.1~rc9-1.dsc
f73ec227a5fb7f4c73190e7ae52a59a4db149e8d628f22e8a0a762a58fbb424d 818716
openvpn_2.1~rc9.orig.tar.gz
a0c58219854712a6ec22cd49371ccb40d5a4d82c7743d12b4e35ab728dc34612 80393
openvpn_2.1~rc9-1.diff.gz
78562eda248efcf97d1eb11dd75a2ad4adc489b1b83ddc8757cdfe7826e9a739 399642
openvpn_2.1~rc9-1_i386.deb
Files:
3f94ba64021aa9b6a66ee6d0ff69b44a 1055 net optional openvpn_2.1~rc9-1.dsc
f435e4ad43cf4323e942da570bae4951 818716 net optional
openvpn_2.1~rc9.orig.tar.gz
d4429356670cff7998d9ea1bd06e4cb7 80393 net optional openvpn_2.1~rc9-1.diff.gz
2e0ee61cd74b7f6b06bb89fc127824e6 399642 net optional openvpn_2.1~rc9-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkigejwACgkQxRSvjkukAcPGkACgkmz6h+bidjOjiwAoG959zVLF
sKcAoNDADsBqTbvCgjltPqQc2QswPH03
=5FXk
-----END PGP SIGNATURE-----
--- End Message ---
