|
COMMAND l2tpd tunneling software bad random in crypt and buffer overflow SYSTEMS AFFECTED All versions of l2tpd up to this point PROBLEM Jeff Mcadams says : --snipp-- All versions of l2tpd up to this point used the rand() function to generate random numbers, but didn't seed rand() with srand() *AT ALL*! (Hey, I didn't originally write it, folks ;). rand() was used as a source for random numbers for tunnel, and session ids (which means that, previously, tunnel and session ids were predictable...not a big deal), but also for challenge generation in the challenge-response mechanism (which *IS* a big deal). --snapp-- Also there is a fix for some off by 6 errors in avp handling in the new release : When dealing with the size of the value in an AVP, don't use the length field of the AVP...at least not without subtracting 6 bytes for the AVP header...I think there are more places for this to be fixed in the code...haven't auditted all of the avp handling code for this yet. --snipp-- SOLUTION Get version 0.68 from [http://www.l2tpd.org]