Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 622376 (CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522) - <net-vpn/openvpn-2.4.3: multiple memory corruption vulnerabilities (CVE-2017-{7508,7520,7521,7522})
Summary: <net-vpn/openvpn-2.4.3: multiple memory corruption vulnerabilities (CVE-2017-...
Status: RESOLVED FIXED
Alias: CVE-2017-7508, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://community.openvpn.net/openvpn...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-21 11:30 UTC by Hanno Böck
Modified: 2017-09-27 11:51 UTC (History)
5 users (show)

See Also:
Package list:
=net-vpn/openvpn-2.4.3 =net-misc/networkmanager-openvpn-1.2.10 amd64 x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2017-06-21 11:30:47 UTC 
Several vulnerabilities were discovered in openvpn via fuzzing:
https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243

Here's the blogpost by the person who found them:
https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/

Here's the upsteam changelog:
https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24

Please update to openvpn 2.4.3.
Comment 1 Manuel Rüger (RETIRED) gentoo-dev 2017-06-21 17:58:49 UTC 
commit f18b448fb4d8b18f058d67a4baf8445493cb5b52
Author: Manuel Rüger <mrueg@gentoo.org>
Date:   Wed Jun 21 19:56:43 2017 +0200

    net-vpn/openvpn: Version bump to 2.4.3
    
    Gentoo-Bug: #622376
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 Agostino Sarubbo gentoo-dev 2017-06-22 11:16:03 UTC 
Arches, please test and mark stable:
=net-vpn/openvpn-2.4.3
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

=net-misc/networkmanager-openvpn-1.2.10
Target keywords : "amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2017-06-22 12:47:34 UTC 
amd64 stable
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2017-06-26 20:19:56 UTC 
Stable on alpha.
Comment 5 Sergei Trofimovich (RETIRED) gentoo-dev 2017-06-30 07:49:38 UTC 
ia64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-30 11:11:47 UTC 
x86 stable
Comment 7 Markus Meier gentoo-dev 2017-07-07 06:17:46 UTC 
arm stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-07-07 09:10:56 UTC 
sparc stable
Comment 9 Agostino Sarubbo gentoo-dev 2017-07-07 13:25:58 UTC 
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2017-07-07 14:51:28 UTC 
ppc64 stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-17 00:30:17 UTC 
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 12 Sergei Trofimovich (RETIRED) gentoo-dev 2017-09-27 08:26:29 UTC 
hppa stable
Comment 13 Manuel Rüger (RETIRED) gentoo-dev 2017-09-27 10:03:35 UTC 
Vulnerable versions for these issues have been cleaned up.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2017-09-27 11:51:59 UTC 
Downgraded to B3.  All reports discuss DoS and provide no PoC for ACE/RCE.  

GLSA Vote: No