First Last Prev Next    This bug is not in your last search results.
Bug 995374 - (CVE-2016-6329) VUL-0: CVE-2016-6329: openvpn: affected by 64bit cipher birthday attack (SWEET32)
(CVE-2016-6329)
VUL-0: CVE-2016-6329: openvpn: affected by 64bit cipher birthday attack (SWEE...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-6329:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-08-24 14:28 UTC by Marcus Meissner
Modified: 2020-04-23 15:01 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-08-24 14:28:33 UTC 
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23

https://sweet32.info/

openvpn supports some 64bit ciphers still, which could be affected by the birthday attack against these small bit amount ciphers as described on sweet32.info.

Overview of changes in OpenVPN v2.3
...
      Discourage using 64-bit block ciphers
...
Comment 1 Marcus Meissner 2016-08-24 15:04:20 UTC 
CVE-2016-6329 seems used
Comment 2 Marcus Meissner 2016-08-24 15:07:55 UTC 
blowfish and triple-des might be used by openvpn
Comment 3 Swamp Workflow Management 2016-08-24 22:00:45 UTC 
bugbot adjusting priority
Comment 8 Bernhard Wiedemann 2017-06-02 10:03:58 UTC 
This is an autogenerated message for OBS integration:
This bug (995374) was mentioned in
https://build.opensuse.org/request/show/500570 42.2 / openvpn
https://build.opensuse.org/request/show/500580 42.3 / openvpn
Comment 9 Swamp Workflow Management 2017-06-20 10:12:17 UTC 
SUSE-SU-2017:1622-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,995374
CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    openvpn-2.3.8-16.14.1
SUSE Linux Enterprise Server 12-SP2 (src):    openvpn-2.3.8-16.14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    openvpn-2.3.8-16.14.1
Comment 10 Swamp Workflow Management 2017-06-21 16:13:15 UTC 
openSUSE-SU-2017:1638-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,995374
CVE References: CVE-2016-6329,CVE-2017-7478,CVE-2017-7479
Sources used:
openSUSE Leap 42.2 (src):    openvpn-2.3.8-8.6.1
Comment 11 Marcus Meissner 2017-08-28 08:35:16 UTC 
can you also include in sles11 sp4?
Comment 15 Lidong Zhong 2017-09-04 06:55:59 UTC 
Marcus, an L3 incident has already been created for bsc#1056470. Since there
is big change between sles11sp4 and sles12sp2 for openvpn, I have to wait for
Nirmoy's patch and provide the PTF then.
Comment 17 Swamp Workflow Management 2017-10-24 13:08:02 UTC 
SUSE-SU-2017:2838-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038709,1038711,1038713,1060877,995374
CVE References: CVE-2016-6329,CVE-2017-12166,CVE-2017-7478,CVE-2017-7479
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    openvpn-2.0.9-143.47.3.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    openvpn-2.0.9-143.47.3.1
Comment 18 Marcus Meissner 2018-02-21 07:10:54 UTC 
released
Comment 21 Alexandros Toptsoglou 2020-04-23 15:01:28 UTC 
Done
First Last Prev Next    This bug is not in your last search results.