X-Git-Url: https://www.tinc-vpn.org/git/browse?p=wiki;a=blobdiff_plain;f=security.mdwn;fp=security.mdwn;h=ce4a416b20a70991500471eff9eb843703752fc5;hp=aa05ea3cf998506847d14d67df6eb4d1ab2e09ec;hb=d0072a11debc576b5fd970841117a89bdfe8549a;hpb=1331b672f598a298e55e73d6aa42ce4d4a56f84c

diff --git a/security.mdwn b/security.mdwn
index aa05ea3..ce4a416 100644
--- a/security.mdwn
+++ b/security.mdwn
@@ -8,16 +8,40 @@ We will then try to get a CVE number assigned, and coordinate a bugfix release w
 
 The following list contains advisories for security issues in tinc in old versions:
 
+- [CVE-2018-16758](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16758):
+  Tinc 1.0.34 and earlier allow a [man-in-the-middle attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)
+  that, even if the MITM cannot decrypt the traffic sent between the two
+  endpoints, when the MITM can correctly predict when an ephemeral key exchange
+  message is sent in a TCP connection between two nodes, allows the MITM to
+  force one node to send UDP packets in plaintext.
+  The tinc 1.1pre versions are not affected by this.
+
+- [CVE-2018-16738](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16738):
+  Tinc versions 1.0.30 to 1.0.34 allow an [oracle attack](https://en.wikipedia.org/wiki/Oracle_attack),
+  similar to CVE-2018-16737, but due to the mitigations put in place for the Sweet32
+  attack in tinc 1.0.30, it now requires a [timing attack](https://en.wikipedia.org/wiki/Timing_attack)
+  that has only a limited time to complete.
+  Tinc 1.1pre16 and earlier are also affected if there are nodes on the same
+  VPN that still use the legacy protocol from tinc version 1.0.x.
+
+- [CVE-2018-16737](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16737):
+  Tinc 1.0.29 and earlier allow an [oracle attack](https://en.wikipedia.org/wiki/Oracle_attack)
+  that could allow a remote attacker to establish one-way communication with a
+  tinc node, allowing it to send fake control messages and inject packets into
+  the VPN. The attack takes only a few seconds to complete.
+  Tinc 1.1pre14 and earlier allow the same attack if they are configured to allow connections
+  from nodes using the legacy 1.0.x protocol.
+
 - [CVE-2013-1428](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1428),
   [DSA-2663](https://www.debian.org/security/2013/dsa-2663),
   [Sitsec advisory](http://sitsec.net/blog/2013/04/22/stack-based-buffer-overflow-in-the-vpn-software-tinc-for-authenticated-peers):
   stack based buffer overflow
 
 - [CVE-2002-1755](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1755):
-  tinc 1.0pre3 and 1.0pre4 VPN do not authenticate forwarded packets, which allows remote attackers to inject data into user sessions without detection, and possibly control the data contents via cut-and-paste attacks on CBC. 
+  Tinc 1.0pre3 and 1.0pre4 VPN do not authenticate forwarded packets, which allows remote attackers to inject data into user sessions without detection, and possibly control the data contents via cut-and-paste attacks on CBC. 
 
 - [CVE-2001-1505](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1505):
-  tinc 1.0pre3 and 1.0pre4 allow remote attackers to inject data into user sessions by sniffing and replaying packets. 
+  Tinc 1.0pre3 and 1.0pre4 allow remote attackers to inject data into user sessions by sniffing and replaying packets. 
 
 ## Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages