ALAS-2016-750


Amazon Linux AMI Security Advisory: ALAS-2016-750
Advisory Release Date: 2016-09-27 10:30 Pacific
Severity: Medium
References: CVE-2016-6329 

Issue Overview:

Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to a birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. The blowfish cipher as used in OpenVPN by default is vulnerable to this attack, allowing a remote attacker to recover partial plaintext information (XOR of two plaintext blocks).


Affected Packages:

openvpn


Issue Correction:
Run yum update openvpn to update your system.

New Packages:
i686:
    openvpn-debuginfo-2.3.12-1.16.amzn1.i686
    openvpn-2.3.12-1.16.amzn1.i686

src:
    openvpn-2.3.12-1.16.amzn1.src

x86_64:
    openvpn-2.3.12-1.16.amzn1.x86_64
    openvpn-debuginfo-2.3.12-1.16.amzn1.x86_64