Menu
▾
▴
Re: [Openvpn-devel] Windows build fix for CVE-2015-4000
|
From: Jan J. K. <ja...@ni...> - 2015-06-26 11:48:25
|
On 26/06/15 13:28, Gert Doering wrote: > Hi, > > On Fri, Jun 26, 2015 at 12:16:43PM +0200, David Sommerseth wrote: >> * Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789) >> This might be an issue on OpenVPN on the server side. However, >> --tls-auth will reduce the attack vector to one of your own users. > As we're not using X509_cmp_time()... > > that was my initial thought as well, but X509_cmp_time might be (is) called by OpenSSL internally to check the dates on certificates and perhaps CRLs. It would need further investigation, I guess. JJK |
