[eduVPN-deploy] [update] [SECURITY] vpn-server-api 1.0.4
François Kooman
fkooman at tuxed.net
Wed Oct 4 15:22:12 CEST 2017
Hi!
I just released version 1.0.4 of vpn-server-api. The central component
managing the VPN service.
**THIS IS A SECURITY RELEASE**
A bug in the validation of 2FA OTPs make it possible to connect to a VPN
service that had 2FA enabled, but where the user was not (any longer)
enrolled using a YubiKey.
By choosing "yubi" as the user when connecting to the VPN and using a
valid YubiKey OTP (from any YubiKey) allowed the user to connect to the VPN.
Administrators that rely on 2FA **MUST** update as soon as possible.
To install the update(s):
$ sudo yum clean expire-cache && sudo yum -y update
Let me know if you have any questions!
Cheers,
François
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://list.surfnet.nl/pipermail/eduvpn-deploy/attachments/20171004/a85d3002/attachment.sig>
More information about the eduVPN-deploy
mailing list