VuXML: OpenVPN -- several vulnerabilities

Affected packages

openvpn

2.3.17

2.4.0

openvpn

2.4.3

openvpn-mbedtls

2.4.3

openvpn-polarssl

2.3.17

Details

VuXML ID	9f65d382-56a4-11e7-83e3-080027ef73ec
Discovery	2017-05-19
Entry	2017-06-21

VuXML ID

9f65d382-56a4-11e7-83e3-080027ef73ec

Discovery

2017-05-19

Entry

2017-06-21

Samuli Seppänen reports:

In May/June 2017 Guido Vranken threw a fuzzer at OpenVPN 2.4.2. In the process he found several vulnerabilities and reported them to the OpenVPN project. [...] The first releases to have these fixes are OpenVPN 2.4.3 and 2.3.17.

This is a list of fixed important vulnerabilities:

Remotely-triggerable ASSERT() on malformed IPv6 packet

Pre-authentication remote crash/information disclosure for clients

Potential double-free in --x509-alt-username

Remote-triggerable memory leaks

Post-authentication remote DoS when using the --x509-track option

Null-pointer dereference in establish_http_proxy_passthru()

[source]

References

CVE Name

CVE-2017-7508

CVE Name

CVE-2017-7512

CVE Name

CVE-2017-7520

CVE Name

CVE-2017-7521

CVE Name

CVE-2017-7522

URL

https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243