Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 622376 (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522)

Summary: <net-vpn/openvpn-2.4.3: multiple memory corruption vulnerabilities (CVE-2017-{7508,7520,7521,7522})
Product: Gentoo Security Reporter: Hanno Böck <hanno>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: alexander, chutzpah, mrueg, sergeev917, sudormrfhalt
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
=net-vpn/openvpn-2.4.3 =net-misc/networkmanager-openvpn-1.2.10 amd64 x86
Runtime testing required: ---

Description Hanno Böck gentoo-dev 2017-06-21 11:30:47 UTC
Several vulnerabilities were discovered in openvpn via fuzzing:

Here's the blogpost by the person who found them:

Here's the upsteam changelog:

Please update to openvpn 2.4.3.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2017-06-21 17:58:49 UTC
commit f18b448fb4d8b18f058d67a4baf8445493cb5b52
Author: Manuel Rüger <>
Date:   Wed Jun 21 19:56:43 2017 +0200

    net-vpn/openvpn: Version bump to 2.4.3
    Gentoo-Bug: #622376
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-22 11:16:03 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-22 12:47:34 UTC
amd64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-26 20:19:56 UTC
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 07:49:38 UTC
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-30 11:11:47 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-07-07 06:17:46 UTC
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:56 UTC
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 13:25:58 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 14:51:28 UTC
ppc64 stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:30:17 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-27 08:26:29 UTC
hppa stable
Comment 13 Manuel Rüger (RETIRED) gentoo-dev 2017-09-27 10:03:35 UTC
Vulnerable versions for these issues have been cleaned up.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-09-27 11:51:59 UTC
Downgraded to B3.  All reports discuss DoS and provide no PoC for ACE/RCE.  

GLSA Vote: No