[3.7] tinc: Multiple issues (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758) (#9841) · Issues · alpine / aports

[3.7] tinc: Multiple issues (CVE-2018-16737, CVE-2018-16738, CVE-2018-16758)

CVE-2018-16737: tinc 1.0.29 and earlier allow an oracle attack that could allow a remote attacker to establish one-way communication
with a tinc node, allowing it to send fake control messages and inject packets into the VPN. The attack takes only a few seconds to complete.
Tinc 1.1pre14 and earlier allow the same attack if they are configured to allow connections from nodes using the legacy 1.0.x protocol.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

CVE-2018-16738: tinc 1.0.30 through 1.0.34 has a broken authentication protocol, although there is a partial mitigation.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

CVE-2018-16758: Missing message authentication in the meta-protocol in Tinc VPN version 1.0.34 and earlier
allows a man-in-the-middle attack to disable the encryption of VPN packets.

Fixed In Version:

tinc 1.0.35

References:

https://www.tinc-vpn.org/security/

Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=patch;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f

(from redmine: issue id 9841, created on 2019-01-10, closed on 2019-02-19)

Relations:
- parent #9839 (closed)
Changesets:
- Revision 4bae97cf on 2019-02-04T08:27:08Z:

main/tinc: security upgrade 1.0.35

CVE-2018-16738, CVE-2018-16758

Fixes #9841

**CVE-2018-16737**: tinc 1.0.29 and earlier allow an oracle attack that
could allow a remote attacker to establish one-way communication  
with a tinc node, allowing it to send fake control messages and inject
packets into the VPN. The attack takes only a few seconds to complete.  
Tinc 1.1pre14 and earlier allow the same attack if they are configured
to allow connections from nodes using the legacy 1.0.x protocol.

### Fixed In Version:

tinc 1.0.35

### References:

https://www.tinc-vpn.org/security/

### Patch:

http://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

**CVE-2018-16738**: tinc 1.0.30 through 1.0.34 has a broken
authentication protocol, although there is a partial mitigation.

### Fixed In Version:

tinc 1.0.35

### References:

https://www.tinc-vpn.org/security/

### Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=commit;h=d3297fbd3b8c8c8a4661f5bbf89aca5cacba8b5a

**CVE-2018-16758**: Missing message authentication in the meta-protocol
in Tinc VPN version 1.0.34 and earlier  
allows a man-in-the-middle attack to disable the encryption of VPN
packets.

### Fixed In Version:

tinc 1.0.35

### References:

https://www.tinc-vpn.org/security/

### Patch:

https://www.tinc-vpn.org/git/browse?p=tinc;a=patch;h=e97943b7cc9c851ae36f5a41e2b6102faa74193f

*(from redmine: issue id 9841, created on 2019-01-10, closed on 2019-02-19)*

* Relations:
  * parent #9839
* Changesets:
  * Revision 4bae97cf753480617c190b18324ad04d705294b6 on 2019-02-04T08:27:08Z:

```
main/tinc: security upgrade 1.0.35

CVE-2018-16738, CVE-2018-16758

Fixes #9841
```

Discussion
Designs

The one place for your designs

To enable design management, you'll need to meet the requirements. If you need help, reach out to our support team for assistance.