CVE-2017-12166: Fix bounds check for configurations using --key-method 1. Before this fix, it could allow an attacker to send a malformed packet to trigger a stack overflow. This is considered to be a low risk issue, as --key-method 2 has been the default since OpenVPN 2.0 (released on 2005-04-17). This option is already deprecated in v2.4 and will be completely removed in v2.5.
Fixed in 2.4.4, which will arrive in ::gentoo shortly
commit da95c4cdb346e34ea502c71d1c53672045ac6a98 (HEAD -> master, origin/master, origin/HEAD)
Author: Manuel Rüger <email@example.com>
Date: Wed Sep 27 00:05:43 2017 +0200
net-vpn/openvpn: Version bump to 2.4.4
Package-Manager: Portage-2.3.10, Repoman-2.3.2
Arches please test and mark stable
Stable on alpha.
GLSA Vote: No
@maintainers, please clean the vulnerable versions.
tree is clean. Thanks, William!