OpenVPN developers have released a security update to OpenVPN 2.4.3 and 2.3.17. "We recommend you to upgrade to OpenVPN 2.4.3 or 2.3.17 as soon as possible." https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 Cauldron (OpenVPN 2.4.0) may also be affected? Fixes from 2.4.1 and 2.4.2 were backported.
Summary: openvpn new security issues CVE-2017-7508, CVE-2017-7512, CVE-2017-7520, CVE-2017-752, CVE-2017-75221 => openvpn new security issues CVE-2017-7508, CVE-2017-7512, CVE-2017-7520, CVE-2017-7521, CVE-2017-75222
Assigning to registered maintainer
Whiteboard: (none) => MGA5TOOSummary: openvpn new security issues CVE-2017-7508, CVE-2017-7512, CVE-2017-7520, CVE-2017-7521, CVE-2017-75222 => openvpn new security issues CVE-2017-7508, CVE-2017-7512, CVE-2017-7520, CVE-2017-7521, CVE-2017-7522Assignee: bugsquad => brunoCC: (none) => marja11Source RPM: openvpn-2.3.16-1.mga5.src.rpm => openvpn-2.3.16-1.mga5, openvpn-2.4.0-2.mga6Version: 5 => Cauldron
openSUSE has issued an advisory for this today (June 21): https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00027.html
CC: (none) => luigiwalser
Any reason why we have not updated to 2.4.3 and are sticking to 2.4.0 ?
FTR, I have now in my SVN a built 2.4.3 version so let me know if you want me to push it.
(In reply to Bruno Cornec from comment #3) > Any reason why we have not updated to 2.4.3 and are sticking to 2.4.0 ? Yes, if you look at the changes even just going to 2.4.1 in the Fedora package, it looks to be a non-trivial update. (In reply to Bruno Cornec from comment #4) > FTR, I have now in my SVN a built 2.4.3 version so let me know if you want > me to push it. As long as I don't have to do the work to update it, if it works, I'm happy to have it updated.
Ok. Works for me locally once installed on mga5. Freeze push asked.
To be clearer, I asked for a freeze push of 2.4.3 for mga6/cauldron, and I have also pushed 2.3.17 to mga5 updates.
CC: (none) => brunoStatus: NEW => ASSIGNEDAssignee: bruno => qa-bugs
Fedora has issued an advisory for this today (June 23): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PWTVFFSR6XK4GJBQ3UH5HACTIDBYSQRN/ Bruno, you should sync with Fedora for Cauldron, as you updated it but it failed to build. Package list for the Mageia 5 update: openvpn-2.3.17-1.mga5 libopenvpn-devel-2.3.17-1.mga5
Assignee: qa-bugs => brunoCC: (none) => qa-bugs
If we need to go back to 2.4.0, Ubuntu has patches: https://www.ubuntu.com/usn/usn-3339-1/
It looks like Bruno fixed this for Cauldron. Thanks! Now we just need an advisory for the Mageia 5 update.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
Would it be an option to sync the referenced advisory from Fedora to get some progress to this issue?
Advisory: ======================== Updated openvpn packages fix security vulnerabilities: It was possible to trigger an assertion by sending a malformed IPv6 packet. That issue could have been abused to remotely shutdown an openvpn server or client, if IPv6 and --mssfix were enabled and if the IPv6 networks used inside the VPN were known (CVE-2017-7508). Some parts of the certificate-parsing code did not always clear all allocated memory. This would have allowed clients to leak a few bytes of memory for each connection attempt, thereby facilitating a (quite inefficient) DoS attack on the server (CVE-2017-7512). If clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker between client and proxy could cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory was likely to contain the proxy password. If the proxy password had not been reused, this was unlikely to compromise the security of the OpenVPN tunnel itself. Clients who did not use the --http-proxy option with ntlm2 authentication were not affected (CVE-2017-7520). The ASN1 parsing code contained a bug that could have resulted in some buffers being free()d twice, and this issue could have potentially been triggered remotely by a VPN peer (CVE-2017-7521). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7512 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 https://lists.opensuse.org/opensuse-security-announce/2017-06/msg00027.html https://www.ubuntu.com/usn/usn-3339-1/ ======================== Updated packages in core/updates_testing: ======================== openvpn-2.3.17-1.mga5 libopenvpn-devel-2.3.17-1.mga5 from openvpn-2.3.17-1.mga5.src.rpm
Assignee: bruno => qa-bugsCC: qa-bugs => (none)
I installed the updated version from testing on my i586 system. I had no problems during update, the restart of the service was fine and I'm running the new version with my previous config now for three days without any problems. Thx for the update.
Installed and tested, using previous config, without issues. $ rpm -q openvpn openvpn-2.3.17-1.mga5
Whiteboard: (none) => MGA5-64-OKCC: (none) => mageia
Advisory from Comment 12 uploaded. @David : CVE-2017-7522 is in the title, but missing from the Description & CVE list. If it should be in, can you please add it?
Whiteboard: MGA5-64-OK => MGA5-64-OK advisoryCC: (none) => lewyssmith
Validating. Effectively 2 tests were done - thanks to Stefan & PC_LX. Added 32 bit OK from Comment 13.
Keywords: (none) => validated_updateWhiteboard: MGA5-64-OK advisory => MGA5-64-OK advisory MGA5-32-OKCC: (none) => sysadmin-bugs
CVE-2017-7522 doesn't affect our packages.
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0224.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED