[Buildroot] [PATCH] tinc: security bump to version 1.0.35

Peter Korsgaard peter at korsgaard.com
Tue Oct 23 16:08:35 UTC 2018


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security issues:
 > CVE-2018-16758: Michael Yonli discovered that tinc 1.0.34 and earlier allow
 > a man-in-the-middle attack that, even if the MITM cannot decrypt the traffic
 > sent between the two endpoints, when the MITM can correctly predict when an
 > ephemeral key exchange message is sent in a TCP connection between two
 > nodes, allows the MITM to force one node to send UDP packets in plaintext.
 > The tinc 1.1pre versions are not affected by this.

 > CVE-2018-16738: Michael Yonli discoverd that tinc versions 1.0.30 to 1.0.34
 > allow an oracle attack, similar to CVE-2018-16737, but due to the
 > mitigations put in place for the Sweet32 attack in tinc 1.0.30, it now
 > requires a timing attack that has only a limited time to complete.  Tinc
 > 1.1pre16 and earlier are also affected if there are nodes on the same VPN
 > that still use the legacy protocol from tinc version 1.0.x.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2018.02.x and 2018.08.x, thanks.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list