[3.5] openvpn: Multiple vulnerabilities (CVE-2017-7478, CVE-2017-7479) (#7413) · Issues · alpine / aports

[3.5] openvpn: Multiple vulnerabilities (CVE-2017-7478, CVE-2017-7479)

CVE-2017-7478: OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet.

Fixed In Version:

openvpn 2.3.15, openvpn 2.4.2

References:

https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7478

Patch:

https://github.com/OpenVPN/openvpn/commit/feb35ee5cac605edddd6e9dc62941e2c53f96fb3

CVE-2017-7479: OpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID
counter rolls over resulting into Denial of Service of server by authenticated attacker.

Fixed In Version:

openvpn 2.3.15, openvpn 2.4.2

References:

https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits
https://nvd.nist.gov/vuln/detail/CVE-2017-7479

Patch:

https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578

(from redmine: issue id 7413, created on 2017-06-11, closed on 2017-06-14)

Changesets:
- Revision 039751f5 on 2017-06-13T09:50:46Z:

main/openvpn: security upgrade to 2.3.15 (CVE-2017-7478, CVE-2017-7479). Fixes #7413

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information