From https://bugzilla.ipfire.org/show_bug.cgi?id=10137:
The first patch i have made is to give the index.cgi the origin colour (the
same then for the roadwarrior) for OpenVPN N2N connections on IPFire. At this
time the colour is stated in IPSec colour, so i made a patch to change this.
Normally 576 is the smallest valid mtu but some cable provider set this
also if they support much higher mtu's. Fedora does not accept
this to prevent speed problems with such isp connections so we do the same.
If you really need mtu=576 you can still force at at the setup.
Invalid TLS/DTLS record attack (CVE-2012-2333)
===============================================
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120510.txt
SN1 BIO incomplete fix (CVE-2012-2131)
=======================================
It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 was not sufficient to correct the issue for OpenSSL 0.9.8.
Please see http://www.openssl.org/news/secadv_20120419.txt for details
of that vulnerability.
This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i
already contain a patch sufficient to correct CVE-2012-2110.
Thanks to Red Hat for discovering and fixing this issue.
Affected users should upgrade to 0.9.8w.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120424.txt
Normally 576 is the smallest valid mtu but some cable provider set this
also if they support much higher mtu's. Fedora does not accept
this to prevent speed problems with such isp connections so we do the same.
If you really need mtu=576 you can still force at at the setup.
Invalid TLS/DTLS record attack (CVE-2012-2333)
===============================================
A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2 and
DTLS can be exploited in a denial of service attack on both clients and
servers.
DTLS applications are affected in all versions of OpenSSL. TLS is only
affected in OpenSSL 1.0.1 and later.
Thanks to Codenomicon for discovering this issue using Fuzz-o-Matic fuzzing
as a service testing platform.
The fix was developed by Stephen Henson of the OpenSSL core team.
Affected users should upgrade to OpenSSL 1.0.1c, 1.0.0j or 0.9.8x
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120510.txt
SN1 BIO incomplete fix (CVE-2012-2131)
=======================================
It was discovered that the fix for CVE-2012-2110 released on 19 Apr
2012 was not sufficient to correct the issue for OpenSSL 0.9.8.
Please see http://www.openssl.org/news/secadv_20120419.txt for details
of that vulnerability.
This issue only affects OpenSSL 0.9.8v. OpenSSL 1.0.1a and 1.0.0i
already contain a patch sufficient to correct CVE-2012-2110.
Thanks to Red Hat for discovering and fixing this issue.
Affected users should upgrade to 0.9.8w.
References
==========
URL for this Security Advisory:
http://www.openssl.org/news/secadv_20120424.txt
