Your message dated Sat, 15 Jul 2017 20:48:06 +0000 with message-id <e1dwtyw-000hrs...@fasolo.debian.org> and subject line Bug#865480: fixed in openvpn 2.3.4-5+deb8u2 has caused the Debian Bug report #865480, regarding openvpn: CVE-2017-7508 CVE-2017-7520 CVE-2017-7521 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 865480: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=865480 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openvpn Version: 2.3.4-1 Severity: grave Tags: security upstream Hi, the following vulnerabilities were published for openvpn. CVE-2017-7508[0]: Remotely-triggerable ASSERT() on malformed IPv6 packet CVE-2017-7520[1]: Pre-authentication remote crash/information disclosure for clients CVE-2017-7521[2]: Potential double-free in --x509-alt-username and memory leaks If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7508 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7508 [1] https://security-tracker.debian.org/tracker/CVE-2017-7520 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7520 [2] https://security-tracker.debian.org/tracker/CVE-2017-7521 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7521 [3] https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 [4] http://www.openwall.com/lists/oss-security/2017/06/21/6 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openvpn Source-Version: 2.3.4-5+deb8u2 We believe that the bug you reported is fixed in the latest version of openvpn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 865...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Alberto Gonzalez Iniesta <a...@inittab.org> (supplier of updated openvpn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Thu, 22 Jun 2017 17:25:13 +0200 Source: openvpn Binary: openvpn Architecture: source amd64 Version: 2.3.4-5+deb8u2 Distribution: jessie-security Urgency: high Maintainer: Alberto Gonzalez Iniesta <a...@inittab.org> Changed-By: Alberto Gonzalez Iniesta <a...@inittab.org> Description: openvpn - virtual private network daemon Closes: 865480 Changes: openvpn (2.3.4-5+deb8u2) jessie-security; urgency=high . * SECURITY UPDATE: authenticated remote DoS vulnerability due to packet ID rollover. CVE-2017-7479. Kudos to Steve Beattie <sbeat...@ubuntu.com> for doing all the backporting work for this patch. - debian/patches/CVE-2017-7479-prereq.patch: merge packet_id_alloc_outgoing() into packet_id_write() - debian/patches/CVE-2017-7479.patch: do not assert when packet ID rollover occurs * SECURITY UPDATE: (Closes: #865480) - CVE-2017-7508.patch. Fix remotely-triggerable ASSERT() on malformed IPv6 packet. - CVE-2017-7520.patch. Prevent two kinds of stack buffer OOB reads and a crash for invalid input data. - CVE-2017-7521.patch. Fix potential double-free in --x509-alt-username. - CVE-2017-7521bis.patch. Fix remote-triggerable memory leaks. Checksums-Sha1: 138a81d4ed1c15680bed97c73bce65789671937b 2072 openvpn_2.3.4-5+deb8u2.dsc 71e1840311a4067a6166360f71c956888638b95e 1191101 openvpn_2.3.4.orig.tar.gz 6646888b71f5200d43f592e083f03d706444a341 130596 openvpn_2.3.4-5+deb8u2.debian.tar.xz 89c2a5acbafc9a9ce57b09f6830762d0cc699c48 477340 openvpn_2.3.4-5+deb8u2_amd64.deb Checksums-Sha256: 2987e8b53bde4f1b6853ea66a07f995ba3f7aa34b0a30b2a6edca907578b803d 2072 openvpn_2.3.4-5+deb8u2.dsc af506d5f48568fa8d2f2435cb3fad35f9a9a8f263999ea6df3ba296960cec85a 1191101 openvpn_2.3.4.orig.tar.gz a4d4fd8fde0441b0ddc44a87bd4c4ab262519e684660a307d9995774e25d53c2 130596 openvpn_2.3.4-5+deb8u2.debian.tar.xz b19c3656f6a04babf64c5d9279f3a1f7978a8bc13fe5d7baff8f81c07de235df 477340 openvpn_2.3.4-5+deb8u2_amd64.deb Files: ad445bca715a8feff9c62f1d1b3e23ee 2072 net optional openvpn_2.3.4-5+deb8u2.dsc 04d47237907faabe9d046970ffe44b2e 1191101 net optional openvpn_2.3.4.orig.tar.gz b7bb04530285ec110513602660f711e9 130596 net optional openvpn_2.3.4-5+deb8u2.debian.tar.xz a1851924fdc5db8f22e2f9e41f041f37 477340 net optional openvpn_2.3.4-5+deb8u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQJEBAEBCAAuFiEEU0fL2D4wqetNfUvyAJszdWuaqlUFAllRILkQHGFnaUBpbml0 dGFiLm9yZwAKCRAAmzN1a5qqVT+hD/9KfTrXtH2ai/Rvs1mCE7dDHqHkZpaE/ugi NCpHQDqZD0fvUghpuS51QdPWkNtBbai+XFRj/XJiQOI4BqZJErTfYcGdkSOex8Aj Os1RUTEia91gNA3HtMtH0veCdPmbpsVHpZOlxef3UJa655DLVWFffRkQZg+baBwQ CS6rnnmJb2DPm/SRDx4a7zS1afI7jY5lG18FGVPg5vt/u+dMzB4aE0hKydKLyZ2+ Ovb2WtUTgchrXEPWuG46bYxoZmLuyHnbdo4sQf8M8bOMdPEIJOP+0ceCtaAusEkA 7MWFp+SnhP6YTufLUteqb+BLRBjtuGY7Xt9Et3x6LFkIcucqVxWzUMNNwKJAYa+1 0BV1O2TSMn5cnNC8JwFceTViT8ajSJS+clYsPyxMpqrtcXyievHCgO+BPnAv/yIx 3SFgwRayGbwQ8Hj7tjDycWH8Bb4XrP3vVZzqp5adNPpUTPCHfmsAmz8IWCFai/8k xwMHxdmGRTFhEM7dZ+BGZOsr8H/w6ug2mTWdI8I5PZcykwBKMBuV1Rja/W2w+04T CLK9z7q7S+RtaPCaGzijybSVxGR4ITg782BDJhwJe9gojvnDSSuBMvsdzDqa8QG7 XS1OtyKL+dNHj7yaExY6/ddhBVbFJ8B/KyhOXbKW5HcX3i8uUqxVSbfjgBG5xQKB LUn+ze30EQ== =A4Ji -----END PGP SIGNATURE-----
--- End Message ---
