FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The last vuln.xml file processed by FreshPorts is:

nothing found there

List all Vulnerabilities, by package

List all Vulnerabilities, by date

These are the vulnerabilities relating to the commit you have selected:

VuXML IDDescription
efb965be-a2c0-11eb-8956-1951a8617e30openvpn -- deferred authentication can be bypassed in specific circumstances

Gert Döring reports:

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Discovery 2021-03-02
Entry 2021-04-21
lt 2.5.2

lt 2.5.2
8604121c-7fc2-11ea-bcac-7781e90b0c8fopenvpn -- illegal client float can break VPN session for other users

Lev Stipakov and Gert Doering report:

There is a time frame between allocating peer-id and initializing data channel key (which is performed on receiving push request or on async push-reply) in which the existing peer-id float checks do not work right.

If a "rogue" data channel packet arrives during that time frame from another address and with same peer-id, this would cause client to float to that new address.

The net effect of this behaviour is that the VPN session for the "victim client" is broken. Since the "attacker client" does not have suitable keys, it can not inject or steal VPN traffic from the other session. The time window is small and it can not be used to attack a specific client's session, unless some other way is found to make it disconnect and reconnect first.

Discovery 2020-04-13
Entry 2020-04-16
lt 2.4.8_3

lt 2.4.8_3

lt 202016
45a72180-a640-11ec-a08b-85298243e224openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins

David Sommerseth reports:

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials. This issue is resolved in OpenVPN 2.4.12 and v2.5.6.

Discovery 2022-03-10
Entry 2022-03-17
lt 2.5.6

lt 2.5.6