Debian Security Advisory DSA 3900-1 (openvpn - security update)

Several issues were discovered in openvpn, a virtual private network application. CVE-2017-7479 It was discovered that openvpn did not properly handle the rollover of packet identifiers. This would allow an authenticated remote attacker to cause a denial-of-service via application crash. CVE-2017-7508 Guido Vranken discovered that openvpn did not properly handle specific malformed IPv6 packets. This would allow a remote attacker to cause a denial-of-service via application crash. CVE-2017-7520 Guido Vranken discovered that openvpn did not properly handle clients connecting to an HTTP proxy with NTLMv2 authentication. This would allow a remote attacker to cause a denial-of-service via application crash, or potentially leak sensitive information like the user's proxy password. CVE-2017-7521 Guido Vranken discovered that openvpn did not properly handle some x509 extensions. This would allow a remote attacker to cause a denial-of-service via application crash.

openvpn on Debian Linux

This check tests the installed software version using the apt package manager.

For the oldstable distribution (jessie), these problems have been fixed in version 2.3.4-5+deb8u2. For the stable distribution (stretch), these problems have been fixed in version 2.4.0-6+deb9u1. For the testing distribution (buster), these problems have been fixed in version 2.4.3-1. For the unstable distribution (sid), these problems have been fixed in version 2.4.3-1. We recommend that you upgrade your openvpn packages.