X-Git-Url: https://www.tinc-vpn.org/git/browse?p=wiki;a=blobdiff_plain;f=security.mdwn;h=d6cdea0ae4aa78661faf75ad666e8f4c028ba129;hp=91c56478550581f6e2f82b9de047e01c35ec0422;hb=284b410a18a252cc4a1346e556f3515b1e994922;hpb=feac0b31410e1fcdf194218201988ace96fba8ee

diff --git a/security.mdwn b/security.mdwn
index 91c5647..d6cdea0 100644
--- a/security.mdwn
+++ b/security.mdwn
@@ -1,3 +1,14 @@
+## Security advisories
+
+The following list contains advisories for security issues in tinc in old versions:
+
+- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1428](CVE-2013-1428):
+  to be published.
+- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1755](CVE-2002-1755):
+  tinc 1.0pre3 and 1.0pre4 VPN do not authenticate forwarded packets, which allows remote attackers to inject data into user sessions without detection, and possibly control the data contents via cut-and-paste attacks on CBC. 
+- [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1505](CVE-2001-1505):
+  tinc 1.0pre3 and 1.0pre4 allow remote attackers to inject data into user sessions by sniffing and replaying packets. 
+
 ## Possible weak keys generated by tinc on Debian (and derivates) due to a security bug in Debian's OpenSSL packages
 
 For those who run tinc on Debian or Debian-based distributions like
@@ -22,7 +33,7 @@ well. Regenerate any keying material that you have exchanged via
 your tinc VPN if any of the nodes was running on an affected
 platform.
 
-## Security issues in tinc
+## Known security issues in tinc 1.0.x
 
 Although tinc uses the OpenSSL library, it does not use the SSL protocol
 to establish connections between daemons. The reasons for this were:
@@ -37,10 +48,8 @@ René Korthaus, Andreas Hübner, Felix Stein and Wladimir Paulsen have also look
 and have provided a more in-depth analysis of the most critical weaknesses.
 In the interest of full disclosure we will list the known weaknesses below.
 
-For tinc 2.0 and later we will use a standard protocol like SSH or TLS to perform authentication.
-For the encapsulated packets, we will consider protocols like DTLS, but due to the specific needs of a peer-to-peer VPN,
-we might also keep our own protocol, but update it to current security standards.
-We might also release an interim version that just fixes the vulnerabilities in tinc 1.x in the near future.
+Tinc 1.1pre3 and later will use a new protocol that fixes all these issues,
+and that is similar to (D)TLS with a strong cipher suite.
 
 ### Predictable IV