Security vulnerabilities in openvpn in 16.04LTS

Bug #1691531 reported by Jeff on 2017-05-17
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)
Undecided
Unassigned

Bug Description

Openvpn 2.4 was audited by OSTIF and QuarksLab

QuarksLab found:
○ 1 Critical/High Vulnerability CVE-2017-7478
○ 1 Medium Vulnerability CVE-2017-7479
○ 5 Low or Informational Vulnerabilities / Concerns

Openvpn 2.4.2 was published to address the noted issues.

Openvpn 2.4.2 Link: https://openvpn.net/index.php/open-source/downloads.html

Full report here: https://ostif.org/wp-content/uploads/2017/05/OpenVPN1.2final.pdf

CVE References

Tyler Hicks (tyhicks) on 2017-05-18
information type: Private Security → Public Security
Changed in openvpn (Ubuntu):
status: New → Fix Released
Tyler Hicks (tyhicks) wrote :

Hi Jeff - Thanks for the bug report! We've released an update for these issues in Ubuntu 17.04, which is the only stable Ubuntu release that CVE-2017-7478 affected. CVE-2017-7479 also affects all stable Ubuntu releases before 17.04 but we rated it as a 'low' and, therefore, we won't release security updates unless a higher severity issue is found in openvpn. This is to reduce the chance of regression in an update that only addresses a low impact security issue.

We published an Ubuntu Security Notice for the Ubuntu 17.04 update:

  https://www.ubuntu.com/usn/usn-3284-1/

We also tweeted about it:

  https://twitter.com/ubuntu_sec/status/864243702042177536

I hope you'll find one of those information feeds helpful.

Jeff (jdferron) wrote :

Thanks Tyler!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers