Your message dated Sat, 01 Jul 2017 16:05:09 +0000 with message-id <e1drktr-0004rv...@fasolo.debian.org> and subject line Bug#865480: fixed in openvpn 2.4.0-6+deb9u1 has caused the Debian Bug report #865480, regarding openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 865480: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865480 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openvpn Version: 2.3.4-1 Severity: grave Tags: security upstream Hi, the following vulnerabilities were published for openvpn. CVE-2017-7508[0]: Remotely-triggerable ASSERT() on malformed IPv6 packet CVE-2017-7520[1]: Pre-authentication remote crash/information disclosure for clients CVE-2017-7521[2]: Potential double-free in --x509-alt-username and memory leaks If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508 [1] https://security-tracker.debian.org/tracker/CVE-2017-7520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520 [2] https://security-tracker.debian.org/tracker/CVE-2017-7521 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521 [3] https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 [4] http://www.openwall.com/lists/oss-security/2017/06/21/6 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openvpn Source-Version: 2.4.0-6+deb9u1 We believe that the bug you reported is fixed in the latest version of openvpn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 865...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alberto Gonzalez Iniesta <a...@inittab.org> (supplier of updated openvpn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 22 Jun 2017 18:00:56 +0200 Source: openvpn Binary: openvpn Architecture: source amd64 Version: 2.4.0-6+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Alberto Gonzalez Iniesta <a...@inittab.org> Changed-By: Alberto Gonzalez Iniesta <a...@inittab.org> Description: openvpn - virtual private network daemon Closes: 865480 Changes: openvpn (2.4.0-6+deb9u1) stretch-security; urgency=high . * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. Checksums-Sha1: 37c7a0b851c9913e3282aac1c5d6546e545070fc 2120 openvpn_2.4.0-6+deb9u1.dsc 7772eb3ddea45c3f894e6a534f3368369d3d0bc0 1409019 openvpn_2.4.0.orig.tar.gz b82d9e4d2155eb9021ae26b032864bcdba79d798 60464 openvpn_2.4.0-6+deb9u1.debian.tar.xz eb0f331c54fc9eaed399cfb9ba5e856b31aceb90 1372536 openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb 1a8de24b9b3ba32e1ded5615e6d3715ce0cc6911 6489 openvpn_2.4.0-6+deb9u1_amd64.buildinfo ee25a6c6476a6ff51f145c70b2fa3756d5aa5af6 499984 openvpn_2.4.0-6+deb9u1_amd64.deb Checksums-Sha256: e7b3dca7b124c7c3ceba3d03b9865e79866868095db667a4e1151fecf5342db0 2120 openvpn_2.4.0-6+deb9u1.dsc f21db525b3c03a9bbd0a7ab6d0e4fbaf8902f238bf53b8bc4e04f834e4e7caa4 1409019 openvpn_2.4.0.orig.tar.gz 099bec0492d4674fcccc0c31024226443244dc07cc301f111bc3bfb102504981 60464 openvpn_2.4.0-6+deb9u1.debian.tar.xz 2f7ae2d0fe6537213e83dcc26bee56002585177ac99c5c22f050c43fea14d961 1372536 openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb 6a75a2f56488b143ccc0075244e29679787d0318c9cf7f11b0291388cb4cd3bd 6489 openvpn_2.4.0-6+deb9u1_amd64.buildinfo c4073d791976ecb382e6be994245953efca255b5003b31603184ced3de668080 499984 openvpn_2.4.0-6+deb9u1_amd64.deb Files: d8e83eb625e5cc05b22f6370645ac559 2120 net optional openvpn_2.4.0-6+deb9u1.dsc e4b3932000a17d782b72e094752619ec 1409019 net optional openvpn_2.4.0.orig.tar.gz 97826f07ea713254d5f61fdf7c932653 60464 net optional openvpn_2.4.0-6+deb9u1.debian.tar.xz cab96daa04532bbe1372f2f1b074f62a 1372536 debug extra openvpn-dbgsym_2.4.0-6+deb9u1_amd64.deb be0dd4c9c3a67239d4abcde66fa7f2f2 6489 net optional openvpn_2.4.0-6+deb9u1_amd64.buildinfo 0cfe5ab8436200a69656d32c330463b3 499984 net optional openvpn_2.4.0-6+deb9u1_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAllRIiQQHGFnaUBpbml0 dGFiLm9yZwAKCRAAmzN1a5qqVVPWD/9XNGFC4tZclZnFsAbblxb5XF+wUpTCYncO Jmf+VNPNB7/jg4nAAmDEFBwXZipmGGgE9AztgyU3K919YEJwWZ66dXqP1P0X68BY OLw8BIisyoTKVnZnANUgDZ7ASozpzOCWfd2ZxIB/VDvVBBWoTaUCEkJjUxRSWeqT JZjLezwznlnwnPZe5sOa6sTMSMor1xCH7N2+d1nw1oOmFBjrvbAm3rXbZwNC6GSA sXQy9Yk/Irdj3c2fLnnp3U8bbH7B5ft7GMYY9OuAYdHY7hmTiZvxiQFVgvpXhkP+ zVa4arUBokguI9/nO75VFh7tnhWC8uZReugDjKcV9+blAVyaPRvahIY27RaDJUwT 0TnXO+YpZS21Ls+iwD8pTr0Bt3kCuDoz7WGVLK/Wfb8sQhMj0e6EwKrIfEK+j3wy 5w5ZCl/ZoJX1EXJYbK6SiX8MILrWIkGI/b3maFfSVtex8GpRqQEWl7c6TKaK80Uc q/ntl5PwqkMr4o9Pv68Rn3OAQnV0Z6NPuf9227ngSbY3fgxncvF7YnJLxqeoBY0s JLw9MJ6EmQJhu/wOLq45mKoOIXmTQqlXj+AAU0WhXZ2imnf7aJksGuE8sBSoTTi5 BsPBw+v5S3/62Mb6B9Kk7LhFcRGItINZMKzrTKXjWVa3t2N8ffm036SevLIR/Ipd 1AzDZtRzLA== =JZbU -----END PGP SIGNATURE-----
--- End Message ---
