Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
aports
aports
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 651
    • Issues 651
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 190
    • Merge Requests 190
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • alpine
  • aportsaports
  • Issues
  • #9841

Closed
Open
Opened Jan 10, 2019 by Alicha CH@alichaReporter
  • Report abuse
  • New issue
Report abuse New issue

[3.7] tinc: Multiple issues (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758)

CVE-2018-16737: tinc 1.0.29 and earlier allow an oracle attack that could allow a remote attacker to establish one-way communication
with a tinc node, allowing it to send fake control messages and inject packets into the VPN. The attack takes only a few seconds to complete.
Tinc 1.1pre14 and earlier allow the same attack if they are configured to allow connections from nodes using the legacy 1.0.x protocol.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

CVE-2018-16738: tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

CVE-2018-16758: Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier
allows a man-in-the-middle attack to disable the encryption of VPN packets.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=patch;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f

(from redmine: issue id 9841, created on 2019-01-10, closed on 2019-02-19)

  • Relations:
    • parent #9839 (closed)
  • Changesets:
    • Revision 4bae97cf on 2019-02-04T08:27:08Z:
main/tinc: security upgrade 1.0.35

CVE-2018-16738, CVE-2018-16758

Fixes #9841
To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information
Assignee
Assign to
3.7.2
Milestone
3.7.2
Assign milestone
Time tracking
None
Due date
None
3
Labels
Normal tag:security type:bug
Assign labels
  • View project labels
Reference: alpine/aports#9841