1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 3900-1] openvpn security update

    From Sebastien Delafond@1:229/2 to All on Tue Jun 27 22:20:02 2017
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA512

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-3900-1 [email protected] https://www.debian.org/security/ Sebastien Delafond
    June 27, 2017 https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : openvpn
    CVE ID : CVE-2017-7479 CVE-2017-7508 CVE-2017-7520 CVE-2017-7521
    Debian Bug : 865480

    Several issues were discovered in openvpn, a virtual private network application.

    CVE-2017-7479

    It was discovered that openvpn did not properly handle the
    rollover of packet identifiers. This would allow an authenticated
    remote attacker to cause a denial-of-service via application
    crash.

    CVE-2017-7508

    Guido Vranken discovered that openvpn did not properly handle
    specific malformed IPv6 packets. This would allow a remote
    attacker to cause a denial-of-service via application crash.

    CVE-2017-7520

    Guido Vranken discovered that openvpn did not properly handle
    clients connecting to an HTTP proxy with NTLMv2
    authentication. This would allow a remote attacker to cause a
    denial-of-service via application crash, or potentially leak
    sensitive information like the user's proxy password.

    CVE-2017-7521

    Guido Vranken discovered that openvpn did not properly handle
    some x509 extensions. This would allow a remote attacker to cause
    a denial-of-service via application crash.

    For the oldstable distribution (jessie), these problems have been fixed
    in version 2.3.4-5+deb8u2.

    For the stable distribution (stretch), these problems have been fixed in version 2.4.0-6+deb9u1.

    For the testing distribution (buster), these problems have been fixed
    in version 2.4.3-1.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.4.3-1.

    We recommend that you upgrade your openvpn packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----

    iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAllStd0ACgkQEL6Jg/PV nWRU9wf/dfBa7UxecYqbJDJukRYIhSTD43y7cu8UweGHiXtyRiMFasxOvJBeu9Pc oDg9NnJ5fkEtUQuv7cElr5eMg9sHV/nJ2QYGuVT+8tesJmIPXji7n+ZGZAdia6Kf U8Ach9xBHaK5Ao+/AhsYRj6fTnBD/uZryt3cS8Z22x6Iku3iJx1m/n0fBOT5mK6l tK1wmD8nALl3RcS8ERYFAdeDQfKJ6tCyfYyddovy9kCd1NccDKbdx7/07MKUzfZo VsojNsD6PTCyaUQNl7OaG3EkyPfYDsPGG0UrklSadzxSFD8ynFcjbGr5LmXPhBZ1 zoNdMXDi4M3jPJB6IyVsUW/7u3gBvA==
    =Cuk2
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)