Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.3037 tinc security update 9 October 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tinc Publisher: Debian Operating System: Debian GNU/Linux 9 UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Access Privileged Data -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-16758 CVE-2018-16738 Original Bulletin: http://www.debian.org/security/2018/dsa-4312 Comment: This advisory references vulnerabilities in products which run on platforms other than Debian. It is recommended that administrators running tinc check for an updated version of the software for their operating system. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4312-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 08, 2018 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : tinc CVE ID : CVE-2018-16738 CVE-2018-16758 Several vulnerabilities were discovered in tinc, a Virtual Private Network (VPN) daemon. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2018-16738 Michael Yonli discovered a flaw in the implementation of the authentication protocol that could allow a remote attacker to establish an authenticated, one-way connection with another node. CVE-2018-16758 Michael Yonli discovered that a man-in-the-middle that has intercepted a TCP connection might be able to disable encryption of UDP packets sent by a node. For the stable distribution (stretch), these problems have been fixed in version 1.0.31-1+deb9u1. We recommend that you upgrade your tinc packages. For the detailed security status of tinc please refer to its security tracker page at: https://security-tracker.debian.org/tracker/tinc Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlu7kBdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0S4fg/+JoS522AqBOO+Oqs9ePNh8OAVeQTfJL8ITyRqphrkxaprJPxc6Kfubqqs bYRhiLTSfRvNB/BzP69f1dp6nKoB7MDS/mTDgT5IvmhzS8bAjbY7VvXInSB7CMdd mLKwqNKpgfIZSIBA/PeCzdcjwPTZA447/LgleTzjFI2I6XrUkk7pUIpGpWu2KpgI aXKcuLcPA1bDPuaek7URMTew2x5u3fy0oM2dPzeFk3rcPAOk/W5nu+StbEWdxNGY IoaLNcDWt5HuFaL8Y52HJgAllcxLTWh0jcmmh3D1P8x90ilv6+FsBow9LFMGSc5s XsC934NszQ6QiyCxpR8GAZ+8kttWC53dE/w+0Rgm5RNyzU9GOOyHE5VO3moL0cVN 83fmAdSXg4S7TbOSugLPbz3+k1Cr/ibrzM9FlwQudmvlnopsGX4asrSyt1aVYF/I hAv8OVLNE8md12BDZuvq+bghXDZASMfLizCk3NFkaffjex20zmrcuo3/nn2Sv8AH 9grUjeZ1cFLeKixl6e4rWw4vQBNxhHZntWDCyiUrkdaSGX63I3Jx1viCS0sj8sa9 Zr/BksW5+5aV/K7orc2Ir6I7L2jxoMw0fudnflG4CeiMV8Q1Wxu9KdfcPuiQqGqT ANgQzOf5g7oOtxGxnmndWbP6al7bv9YeaEbw2xuyi6sRMo2624o= =o+91 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW7vp42aOgq3Tt24GAQhLGw/8CB+zhEm5g/famdH7qh+zQEo8XKLDimgk O5aIGQgciKHFfSX8dfQ7/GhArCgSHHGFVrAMeGNVABM6WmsloAZ7la3FWhsiONy5 EX3SnwO1oxbWHDG/VuYNixDQJAeu45QvXvNCwK7m3yDJUE83exK2EGcirZHceR/k UJXlwYzIU6+NB+YMEfl2YuPsy8lmNzuOAINjSYcigY9qNOvrWUIHPerNy9MgA85T B2Im/GWEq4xdEXZ1QbjP7dvuwpRRXCkhEf7cPs36iRUjJ6Zwh1qf4sujcPeR678s m9Q0iVSlylzAFDVpoFXfH4n/0Sa6ZVa+dHQ+WP1H97Jf+KqVH5E1Z1iZD46RlUu9 ENiT6bBIS6lDhz+AntljWYvTGAjDhLAEiDYIys+ItZOsDKReP/zYrkk8sMvImy2s jyQeWL/9Mooykt9TJrPhD+4EnCp9S9LDSmwTT/1uPBsoX9KacqqGtEFXiTE6KdHW KT9YjUZyxTWhKUsWJDkqAaa8aTTgFTmSR5KSGlEOTPT15eVsnBfAdwhRPX2QyEgQ 27A5syauhoBdlZyidajn43QVEnelFnph2xMDZsYZOzU7Xyv3XYjAM8bn625vFA98 mVDnUpg7BdFH1Nm9vvfZQhFR9hAPY1flNGbQqY2wQCcbCL+UDLNaelZJ4P6pYIBa tBKGRZ+HHjI= =L/Bd -----END PGP SIGNATURE-----