CVE-2017-12166: Fix bounds check for configurations using --key-method 1. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as --key-method 2 has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5. Fixed in 2.4.4, which will arrive in ::gentoo shortly
commit da95c4cdb346e34ea502c71d1c53672045ac6a98 (HEAD -> master, origin/master, origin/HEAD) Author: Manuel Rüger <mrueg@gentoo.org> Date: Wed Sep 27 00:05:43 2017 +0200 net-vpn/openvpn: Version bump to 2.4.4 Package-Manager: Portage-2.3.10, Repoman-2.3.2
Arches please test and mark stable
amd64 stable
x86 stable
ppc64 stable
ppc stable
ia64 stable
hppa stable
arm stable
Stable on alpha.
GLSA Vote: No @maintainers, please clean the vulnerable versions.
@Maintainers ping.
tree is clean. Thanks, William!