PublicDateAtUSN: 2017-01-31 Candidate: CVE-2016-6329 PublicDate: 2017-01-31 22:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6329 https://community.openvpn.net/openvpn/wiki/SWEET32 https://sweet32.info/ https://ubuntu.com/security/notices/USN-3339-1 Description: OpenVPN, when using a 64-bit block cipher, makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTP-over-OpenVPN session using Blowfish in CBC mode, aka a "Sweet32" attack. Ubuntu-Description: Notes: mdeslaur> openvpn 2.3 and earlier use BF-CBC by default unless the cipher mdeslaur> is specified manually. 2.3.12 was modified to display a warning mdeslaur> if a 64-bit cipher is selected. mdeslaur> Since this is just a warning, downgrading priority to low sbeattie> fixed in 2.4.0 Bugs: Priority: low Discovered-by: Karthikeyan Bhargavan, Gaƫtan Leurent Assigned-to: mdeslaur CVSS: nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM] Patches_openvpn: upstream: https://github.com/OpenVPN/openvpn/commit/610fdbbdb0abf65c1e7620143afccd62cd162a8f (warning/2.3) upstream: https://github.com/OpenVPN/openvpn/commit/c94b3ff0f5f1dbd4949f18f69ed3611f82a29021 (warning/trunk) upstream_openvpn: released (2.3.12, 2.4.0) precise_openvpn: ignored (reached end-of-life) precise/esm_openvpn: ignored (end of ESM support, was needed) trusty_openvpn: released (2.3.2-7ubuntu3.2) trusty/esm_openvpn: released (2.3.2-7ubuntu3.2) vivid/stable-phone-overlay_openvpn: ignored (reached end-of-life) vivid/ubuntu-core_openvpn: DNE xenial_openvpn: released (2.3.10-1ubuntu2.1) esm-infra/xenial_openvpn: released (2.3.10-1ubuntu2.1) yakkety_openvpn: released (2.3.11-1ubuntu2.1) zesty_openvpn: not-affected (2.4.0-4ubuntu1) artful_openvpn: not-affected (2.4.0-4ubuntu1) bionic_openvpn: not-affected (2.4.0-4ubuntu1) cosmic_openvpn: not-affected (2.4.0-4ubuntu1) disco_openvpn: not-affected (2.4.0-4ubuntu1) eoan_openvpn: not-affected (2.4.0-4ubuntu1) focal_openvpn: not-affected (2.4.0-4ubuntu1) groovy_openvpn: not-affected (2.4.0-4ubuntu1) hirsute_openvpn: not-affected (2.4.0-4ubuntu1) devel_openvpn: not-affected (2.4.0-4ubuntu1)