ALAS-2016-750

Amazon Linux 1 Security Advisory: ALAS-2016-750
Advisory Release Date: 2016-09-27 10:30 Pacific
Advisory Updated Date: 2016-09-27 10:30 Pacific

Severity: Medium

References: CVE-2016-6329
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

Ciphers with 64-bit block sizes used in CBC mode were found to be vulnerable to a birthday attack when key renegotiation doesn't happen frequently or at all in long running connections. The blowfish cipher as used in OpenVPN by default is vulnerable to this attack, allowing a remote attacker to recover partial plaintext information (XOR of two plaintext blocks).

Affected Packages:

openvpn

Issue Correction:
Run yum update openvpn to update your system.

New Packages:

i686:
    openvpn-debuginfo-2.3.12-1.16.amzn1.i686
    openvpn-2.3.12-1.16.amzn1.i686

src:
    openvpn-2.3.12-1.16.amzn1.src

x86_64:
    openvpn-2.3.12-1.16.amzn1.x86_64
    openvpn-debuginfo-2.3.12-1.16.amzn1.x86_64

Additional References

Red Hat: CVE-2016-6329

Mitre: CVE-2016-6329