X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=security.mdwn;h=aa05ea3cf998506847d14d67df6eb4d1ab2e09ec;hb=f90afaf581392621709b256a951b8905c0220dac;hp=1b10b3327ec61493f8978c3b30e6993162bb8e99;hpb=c2157a3c17003b0bc020987b5bcd104997c72b7b;p=wiki diff --git a/security.mdwn b/security.mdwn index 1b10b33..aa05ea3 100644 --- a/security.mdwn +++ b/security.mdwn @@ -1,9 +1,17 @@ +## Reporting security issues + +In case you have found a security issue in tinc, please report it via email +to Guus Sliepen , preferrably PGP encrypted. +We will then try to get a CVE number assigned, and coordinate a bugfix release with major Linux distributions. + ## Security advisories The following list contains advisories for security issues in tinc in old versions: -- [CVE-2013-1428](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1428): - to be published. +- [CVE-2013-1428](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1428), + [DSA-2663](https://www.debian.org/security/2013/dsa-2663), + [Sitsec advisory](http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers): + stack based buffer overflow - [CVE-2002-1755](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1755): tinc 1.0pre3 and 1.0pre4 VPN do not authenticate forwarded packets, which allows remote attackers to inject data into user sessions without detection, and possibly control the data contents via cut-and-paste attacks on CBC. @@ -16,7 +24,7 @@ The following list contains advisories for security issues in tinc in old versio For those who run tinc on Debian or Debian-based distributions like Ubuntu and Knoppix, be advised that the following security issue affects tinc as well: -[http://www.debian.org/security/2008/dsa-1571](http://www.debian.org/security/2008/dsa-1571) +[https://www.debian.org/security/2008/dsa-1571](https://www.debian.org/security/2008/dsa-1571) In short, if you generated public/private keypairs for tinc between 2006 and May 7th, 2008 on a machine running Debian or a derivative, they may have been generated without a properly seeded random