openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521

Debian Bug report logs - #865480
openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521

Date: Wed, 21 Jun 2017 21:56:14 +0200

Source: openvpn
Version: 2.3.4-1
Severity: grave
Tags: security upstream

Hi,

the following vulnerabilities were published for openvpn.

CVE-2017-7508[0]:
Remotely-triggerable ASSERT() on malformed IPv6 packet

CVE-2017-7520[1]:
Pre-authentication remote crash/information disclosure for clients

CVE-2017-7521[2]:
Potential double-free in --x509-alt-username and memory leaks

If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-7508
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508
[1] https://security-tracker.debian.org/tracker/CVE-2017-7520
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520
[2] https://security-tracker.debian.org/tracker/CVE-2017-7521
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521
[3] https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
[4] http://www.openwall.com/lists/oss-security/2017/06/21/6

Regards,
Salvatore

Message #10 received at 865480-quiet@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>, 865480-quiet@bugs.debian.org

Cc: debian-lts@lists.debian.org

Subject: Wheezy update of openvpn?

Date: Thu, 22 Jun 2017 11:16:04 +0200

Hello Alberto,

The Debian LTS team would like to fix the security issues which are
currently open in the Wheezy version of openvpn:
https://security-tracker.debian.org/tracker/CVE-2017-7508
https://security-tracker.debian.org/tracker/CVE-2017-7520
https://security-tracker.debian.org/tracker/CVE-2017-7521

Would you like to take care of this yourself?

If yes, please follow the workflow we have defined here:
https://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

You can also opt-out from receiving future similar emails in your
answer and then the LTS Team will take care of openvpn updates
for the LTS releases.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/

Message #15 received at 865480-quiet@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Raphael Hertzog <hertzog@debian.org>, 865480-quiet@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Wheezy update of openvpn?

Date: Thu, 22 Jun 2017 11:20:12 +0200

On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote:
> Hello Alberto,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openvpn:
> https://security-tracker.debian.org/tracker/CVE-2017-7508
> https://security-tracker.debian.org/tracker/CVE-2017-7520
> https://security-tracker.debian.org/tracker/CVE-2017-7521
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.
> 
> If you don't want to take care of this update, it's not a problem, we
> will do our best with your package. Just let us know whether you would
> like to review and/or test the updated package before it gets released.
> 
> You can also opt-out from receiving future similar emails in your
> answer and then the LTS Team will take care of openvpn updates
> for the LTS releases.
> 
> Thank you very much.
> 
> Raphaël Hertzog,
>   on behalf of the Debian LTS team.
> 
> PS: A member of the LTS team might start working on this update at
> any point in time. You can verify whether someone is registered
> on this update in this file:
> https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup

Hi Raphaël,

My plan was to start working on this today, let see if real life agrees
on this. I'l start with sid, stretch, jessie and then wheezy. I'll let
you know when I start working on wheezy to avoid duplicate efforts.

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

Message #20 received at 865480-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 865480-close@bugs.debian.org

Subject: Bug#865480: fixed in openvpn 2.4.3-1

Date: Thu, 22 Jun 2017 15:36:37 +0000

Source: openvpn
Source-Version: 2.4.3-1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jun 2017 13:25:45 +0200
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.4.3-1
Distribution: unstable
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
 openvpn    - virtual private network daemon
Closes: 865480
Changes:
 openvpn (2.4.3-1) unstable; urgency=high
 .
   * The "Bye bye OpenVPN" release.
   * New upstream release fixing: (Closes: #865480)
     - CVE-2017-7508
     - CVE-2017-7520
     - CVE-2017-7521
     - CVE-2017-7522
   * Plugin libs have been moved to /usr/lib/ARCH/openvpn/plugins
   * debian/rules:
     - Remove obsolete options to configure script (enable-password-save,
       with-plugindir (now in ENV_VARS))
     - No need to install upstream's systemd unit files from debian/rules
Checksums-Sha1:
 94bc60566128088509db0f3876d280f6f671044e 2092 openvpn_2.4.3-1.dsc
 0630f30858ff2199739246f1295871226e0a7705 1422692 openvpn_2.4.3.orig.tar.gz
 79f0272cfaecb55fe67ebb0ac8310225ac7fcb5a 50844 openvpn_2.4.3-1.debian.tar.xz
 3f3c33e8ec275c5c80209a0686823994780938d7 1383686 openvpn-dbgsym_2.4.3-1_amd64.deb
 e618b26ade0861126f94d83bf727756314871f7f 6512 openvpn_2.4.3-1_amd64.buildinfo
 4db07ad705ea161d7276e91e0c5f6ebf6faab93a 479474 openvpn_2.4.3-1_amd64.deb
Checksums-Sha256:
 f75c6d745f7f8ae68235f46412682ea70b85a77b60c1a02891b677b58aa37b66 2092 openvpn_2.4.3-1.dsc
 cee3d3ca462960a50a67c0ebd186e01b6d13db70275205663695152c9aca8579 1422692 openvpn_2.4.3.orig.tar.gz
 77afdee0a26293b6ba0dbe605b0b871f1cabe3be0f5c63fa02548981a339e5eb 50844 openvpn_2.4.3-1.debian.tar.xz
 760e90e1a8706c94f7fde4bcdefff9fe48fe8f4eea8466ec9ae07fd0176a0b09 1383686 openvpn-dbgsym_2.4.3-1_amd64.deb
 d07afb7265715095b7e590bfab6abfef976e886c1f0d7f345baf86309b13cabe 6512 openvpn_2.4.3-1_amd64.buildinfo
 0c3af2fa3ccfc074d7156a469addb9482241d50a9adc7d8f2d19fa8f1bf97d42 479474 openvpn_2.4.3-1_amd64.deb
Files:
 e7943312a026353c5eeb4d3ac9be4022 2092 net optional openvpn_2.4.3-1.dsc
 e1929f82aff40f3d105e5f72aacff9c1 1422692 net optional openvpn_2.4.3.orig.tar.gz
 e8b787b5d26dcd64294e5da7bbae164a 50844 net optional openvpn_2.4.3-1.debian.tar.xz
 7bf9bba0ae5ea56d1d902849bada108e 1383686 debug extra openvpn-dbgsym_2.4.3-1_amd64.deb
 12842db39e1a4c767c8f24d5ff4702ae 6512 net optional openvpn_2.4.3-1_amd64.buildinfo
 2b1ba9c13713f2056c82b09a5c167ab2 479474 net optional openvpn_2.4.3-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAllL3GcQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVX24D/44hKxvHtdAQ4O1gJ1UX+gIQIrWHTKuAQIM
J8yxSFuKPFImg+nBgjYa3Sx/GM90DKcQ7T0sxMa/B2Wdt/LSVTyYYSnq5VybFMy+
HIA7UZP15Xj0ylDYqTnN01pDxyX26B+QZ0Z8NPHBjgs6jKIMDJ7lFzU1ZkwKVMBH
Btn71vSeFr+gasdO2DnSJrjpi6/BtIzOA3+y/3cH3mMaKaTEpkrifhJWmRXnlQtH
2tKb4bTsaCU9dKu5a3SZvIpgA7wzUqNU/xyj5XrB7vXK81BQlhKdBYsjIvZctQdR
R8PLCu0YygktD2I9y0Ip2ULlaonm4b5njOjZNGw0TTCsq2cLSkM7NWfni4HmHQ6/
iX/JGmxr3vOGYEqeo0TLkDnoPGumVulyAwzxNfvYcG7HYWf53RoIOE6BenCVMIWU
sbZRQ3hxmSSQhT4Q0QFbNZvlKMiluwsOXnj3kd+6cxaBsRXnXudPUHu1PeKvfVE+
fbqxKhCEKmOkTkf+KIOw0O413GhT4UE4ygW5VPhNXBLYuHjsTFWrr50PhCvbx6Rq
XzZssbNCbuedVslTtkchHcRlZbhUycjwQjgiqCFHDHaYjv3oU6kYGzNFrGPRNlAp
lK6cdnX6E0Cy5cVXQS6XiUp2OusNAXHJK30szLySfMi/i/5H2KcV7m7Wz1X01se8
n0bGzzH2Cw==
=/R0+
-----END PGP SIGNATURE-----

Message #25 received at 865480-quiet@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: Raphael Hertzog <hertzog@debian.org>, 865480-quiet@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Wheezy update of openvpn?

Date: Thu, 22 Jun 2017 19:16:03 +0200

[Message part 1 (text/plain, inline)]

On Thu, Jun 22, 2017 at 11:16:04AM +0200, Raphael Hertzog wrote:
> Hello Alberto,
> 
> The Debian LTS team would like to fix the security issues which are
> currently open in the Wheezy version of openvpn:
> https://security-tracker.debian.org/tracker/CVE-2017-7508
> https://security-tracker.debian.org/tracker/CVE-2017-7520
> https://security-tracker.debian.org/tracker/CVE-2017-7521
> 
> Would you like to take care of this yourself?
> 
> If yes, please follow the workflow we have defined here:
> https://wiki.debian.org/LTS/Development
> 
> If that workflow is a burden to you, feel free to just prepare an
> updated source package and send it to debian-lts@lists.debian.org
> (via a debdiff, or with an URL pointing to the source package,
> or even with a pointer to your packaging repository), and the members
> of the LTS team will take care of the rest. Indicate clearly whether you
> have tested the updated package or not.

Hi,

Yep, the workflow seems a bit messy for an overworked newcomer. Please
find attached the corresponding debdiff. I have tested the resulting
package in one of my servers (not that many wheezy around these days)
and seems to work fine.

Thanks,

Alberto

-- 
Alberto Gonzalez Iniesta    | Formación, consultoría y soporte técnico
mailto/sip: agi@inittab.org | en GNU/Linux y software libre
Encrypted mail preferred    | http://inittab.com

Key fingerprint = 5347 CBD8 3E30 A9EB 4D7D  4BF2 009B 3375 6B9A AA55

[openvpn_2.2.1-8+deb7u5.debdiff (text/plain, attachment)]

Message #30 received at 865480-quiet@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: Alberto Gonzalez Iniesta <agi@inittab.org>, Raphael Hertzog <hertzog@debian.org>, 865480-quiet@bugs.debian.org, debian-lts@lists.debian.org

Subject: Re: Wheezy update of openvpn?

Date: Thu, 22 Jun 2017 18:22:33 +0100

Dear Alberto,

> Yep, the workflow seems a bit messy for an overworked newcomer. Please
> find attached the corresponding debdiff

Wow, thanks very much! I'll take over from here, doing my own testing and
then uploading and announcing. etc.

Thank you again.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb, Debian Project Leader
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #35 received at 865480@bugs.debian.org (full text, mbox, reply):

From: Bernhard Schmidt <berni@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>, 865480@bugs.debian.org, agi@inittab.org

Subject: Re: Bug#865480: openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521

Date: Sun, 25 Jun 2017 19:42:34 +0200

On Wed, Jun 21, 2017 at 09:56:14PM +0200, Salvatore Bonaccorso wrote:

Hi,

> Source: openvpn
> Version: 2.3.4-1
> Severity: grave
> Tags: security upstream
> 
> Hi,
> 
> the following vulnerabilities were published for openvpn.

In light of the recent RFA bug on OpenVPN, has there any work been done
on the Jessie version yet?

Bernhard

Message #40 received at 865480@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bernhard Schmidt <berni@debian.org>, 865480@bugs.debian.org

Cc: agi@inittab.org, team@security.debian.org

Subject: Re: Bug#865480: openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521

Date: Sun, 25 Jun 2017 20:11:48 +0200

HI Bernhard,

On Sun, Jun 25, 2017 at 07:42:34PM +0200, Bernhard Schmidt wrote:
> On Wed, Jun 21, 2017 at 09:56:14PM +0200, Salvatore Bonaccorso wrote:
> 
> Hi,
> 
> > Source: openvpn
> > Version: 2.3.4-1
> > Severity: grave
> > Tags: security upstream
> > 
> > Hi,
> > 
> > the following vulnerabilities were published for openvpn.
> 
> In light of the recent RFA bug on OpenVPN, has there any work been done
> on the Jessie version yet?

Yes, Alberto has proposed debdiffs for both stretch-security and
jessie-security to the security team, and we gave some feedback. With
that fixed asked him then to upload.

So it's in the works and a DSA will be released when the packages are
built.

Regards,
Salvatore

Message #45 received at 865480-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 865480-close@bugs.debian.org

Subject: Bug#865480: fixed in openvpn 2.4.0-6+deb9u1

Date: Sat, 01 Jul 2017 16:05:09 +0000

Source: openvpn
Source-Version: 2.4.0-6+deb9u1

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jun 2017 18:00:56 +0200
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.4.0-6+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
 openvpn    - virtual private network daemon
Closes: 865480
Changes:
 openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high
 .
    * SECURITY UPDATE: (Closes: #865480)
      - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
        packet.
      - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
        crash for invalid input data.
      - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
      - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.
Checksums-Sha1:
 37c7a0b851c9913e3282aac1c5d6546e545070fc 2120 openvpn_2.4.0-6+deb9u1.dsc
 7772eb3ddea45c3f894e6a534f3368369d3d0bc0 1409019 openvpn_2.4.0.orig.tar.gz
 b82d9e4d2155eb9021ae26b032864bcdba79d798 60464 openvpn_2.4.0-6+deb9u1.debian.tar.xz
 eb0f331c54fc9eaed399cfb9ba5e856b31aceb90 1372536 openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb
 1a8de24b9b3ba32e1ded5615e6d3715ce0cc6911 6489 openvpn_2.4.0-6+deb9u1_amd64.buildinfo
 ee25a6c6476a6ff51f145c70b2fa3756d5aa5af6 499984 openvpn_2.4.0-6+deb9u1_amd64.deb
Checksums-Sha256:
 e7b3dca7b124c7c3ceba3d03b9865e79866868095db667a4e1151fecf5342db0 2120 openvpn_2.4.0-6+deb9u1.dsc
 f21db525b3c03a9bbd0a7ab6d0e4fbaf8902f238bf53b8bc4e04f834e4e7caa4 1409019 openvpn_2.4.0.orig.tar.gz
 099bec0492d4674fcccc0c31024226443244dc07cc301f111bc3bfb102504981 60464 openvpn_2.4.0-6+deb9u1.debian.tar.xz
 2f7ae2d0fe6537213e83dcc26bee56002585177ac99c5c22f050c43fea14d961 1372536 openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb
 6a75a2f56488b143ccc0075244e29679787d0318c9cf7f11b0291388cb4cd3bd 6489 openvpn_2.4.0-6+deb9u1_amd64.buildinfo
 c4073d791976ecb382e6be994245953efca255b5003b31603184ced3de668080 499984 openvpn_2.4.0-6+deb9u1_amd64.deb
Files:
 d8e83eb625e5cc05b22f6370645ac559 2120 net optional openvpn_2.4.0-6+deb9u1.dsc
 e4b3932000a17d782b72e094752619ec 1409019 net optional openvpn_2.4.0.orig.tar.gz
 97826f07ea713254d5f61fdf7c932653 60464 net optional openvpn_2.4.0-6+deb9u1.debian.tar.xz
 cab96daa04532bbe1372f2f1b074f62a 1372536 debug extra openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb
 be0dd4c9c3a67239d4abcde66fa7f2f2 6489 net optional openvpn_2.4.0-6+deb9u1_amd64.buildinfo
 0cfe5ab8436200a69656d32c330463b3 499984 net optional openvpn_2.4.0-6+deb9u1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAllRIiQQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVVPWD/9XNGFC4tZclZnFsAbblxb5XF+wUpTCYncO
Jmf+VNPNB7/jg4nAAmDEFBwXZipmGGgE9AztgyU3K919YEJwWZ66dXqP1P0X68BY
OLw8BIisyoTKVnZnANUgDZ7ASozpzOCWfd2ZxIB/VDvVBBWoTaUCEkJjUxRSWeqT
JZjLezwznlnwnPZe5sOa6sTMSMor1xCH7N2+d1nw1oOmFBjrvbAm3rXbZwNC6GSA
sXQy9Yk/Irdj3c2fLnnp3U8bbH7B5ft7GMYY9OuAYdHY7hmTiZvxiQFVgvpXhkP+
zVa4arUBokguI9/nO75VFh7tnhWC8uZReugDjKcV9+blAVyaPRvahIY27RaDJUwT
0TnXO+YpZS21Ls+iwD8pTr0Bt3kCuDoz7WGVLK/Wfb8sQhMj0e6EwKrIfEK+j3wy
5w5ZCl/ZoJX1EXJYbK6SiX8MILrWIkGI/b3maFfSVtex8GpRqQEWl7c6TKaK80Uc
q/ntl5PwqkMr4o9Pv68Rn3OAQnV0Z6NPuf9227ngSbY3fgxncvF7YnJLxqeoBY0s
JLw9MJ6EmQJhu/wOLq45mKoOIXmTQqlXj+AAU0WhXZ2imnf7aJksGuE8sBSoTTi5
BsPBw+v5S3/62Mb6B9Kk7LhFcRGItINZMKzrTKXjWVa3t2N8ffm036SevLIR/Ipd
1AzDZtRzLA==
=JZbU
-----END PGP SIGNATURE-----

Message #50 received at 865480-close@bugs.debian.org (full text, mbox, reply):

From: Alberto Gonzalez Iniesta <agi@inittab.org>

To: 865480-close@bugs.debian.org

Subject: Bug#865480: fixed in openvpn 2.3.4-5+deb8u2

Date: Sat, 15 Jul 2017 20:48:06 +0000

Source: openvpn
Source-Version: 2.3.4-5+deb8u2

We believe that the bug you reported is fixed in the latest version of
openvpn, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 865480@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alberto Gonzalez Iniesta <agi@inittab.org> (supplier of updated openvpn package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 22 Jun 2017 17:25:13 +0200
Source: openvpn
Binary: openvpn
Architecture: source amd64
Version: 2.3.4-5+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Changed-By: Alberto Gonzalez Iniesta <agi@inittab.org>
Description:
 openvpn    - virtual private network daemon
Closes: 865480
Changes:
 openvpn (2.3.4-5+deb8u2) jessie-security; urgency=high
 .
   * SECURITY UPDATE: authenticated remote DoS vulnerability due to
     packet ID rollover. CVE-2017-7479.
     Kudos to Steve Beattie <sbeattie@ubuntu.com> for doing all the backporting
     work for this patch.
     - debian/patches/CVE-2017-7479-prereq.patch: merge
       packet_id_alloc_outgoing() into packet_id_write()
     - debian/patches/CVE-2017-7479.patch: do not assert when packet ID
       rollover occurs
   * SECURITY UPDATE: (Closes: #865480)
     - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6
       packet.
     - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a
       crash for invalid input data.
     - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username.
     - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks.
Checksums-Sha1:
 138a81d4ed1c15680bed97c73bce65789671937b 2072 openvpn_2.3.4-5+deb8u2.dsc
 71e1840311a4067a6166360f71c956888638b95e 1191101 openvpn_2.3.4.orig.tar.gz
 6646888b71f5200d43f592e083f03d706444a341 130596 openvpn_2.3.4-5+deb8u2.debian.tar.xz
 89c2a5acbafc9a9ce57b09f6830762d0cc699c48 477340 openvpn_2.3.4-5+deb8u2_amd64.deb
Checksums-Sha256:
 2987e8b53bde4f1b6853ea66a07f995ba3f7aa34b0a30b2a6edca907578b803d 2072 openvpn_2.3.4-5+deb8u2.dsc
 af506d5f48568fa8d2f2435cb3fad35f9a9a8f263999ea6df3ba296960cec85a 1191101 openvpn_2.3.4.orig.tar.gz
 a4d4fd8fde0441b0ddc44a87bd4c4ab262519e684660a307d9995774e25d53c2 130596 openvpn_2.3.4-5+deb8u2.debian.tar.xz
 b19c3656f6a04babf64c5d9279f3a1f7978a8bc13fe5d7baff8f81c07de235df 477340 openvpn_2.3.4-5+deb8u2_amd64.deb
Files:
 ad445bca715a8feff9c62f1d1b3e23ee 2072 net optional openvpn_2.3.4-5+deb8u2.dsc
 04d47237907faabe9d046970ffe44b2e 1191101 net optional openvpn_2.3.4.orig.tar.gz
 b7bb04530285ec110513602660f711e9 130596 net optional openvpn_2.3.4-5+deb8u2.debian.tar.xz
 a1851924fdc5db8f22e2f9e41f041f37 477340 net optional openvpn_2.3.4-5+deb8u2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAllRILkQHGFnaUBpbml0
dGFiLm9yZwAKCRAAmzN1a5qqVT+hD/9KfTrXtH2ai/Rvs1mCE7dDHqHkZpaE/ugi
NCpHQDqZD0fvUghpuS51QdPWkNtBbai+XFRj/XJiQOI4BqZJErTfYcGdkSOex8Aj
Os1RUTEia91gNA3HtMtH0veCdPmbpsVHpZOlxef3UJa655DLVWFffRkQZg+baBwQ
CS6rnnmJb2DPm/SRDx4a7zS1afI7jY5lG18FGVPg5vt/u+dMzB4aE0hKydKLyZ2+
Ovb2WtUTgchrXEPWuG46bYxoZmLuyHnbdo4sQf8M8bOMdPEIJOP+0ceCtaAusEkA
7MWFp+SnhP6YTufLUteqb+BLRBjtuGY7Xt9Et3x6LFkIcucqVxWzUMNNwKJAYa+1
0BV1O2TSMn5cnNC8JwFceTViT8ajSJS+clYsPyxMpqrtcXyievHCgO+BPnAv/yIx
3SFgwRayGbwQ8Hj7tjDycWH8Bb4XrP3vVZzqp5adNPpUTPCHfmsAmz8IWCFai/8k
xwMHxdmGRTFhEM7dZ+BGZOsr8H/w6ug2mTWdI8I5PZcykwBKMBuV1Rja/W2w+04T
CLK9z7q7S+RtaPCaGzijybSVxGR4ITg782BDJhwJe9gojvnDSSuBMvsdzDqa8QG7
XS1OtyKL+dNHj7yaExY6/ddhBVbFJ8B/KyhOXbKW5HcX3i8uUqxVSbfjgBG5xQKB
LUn+ze30EQ==
=A4Ji
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.