Security vulnerabilities in openvpn in 16.04LTS

Bug #1691531 reported by Jeff on 2017-05-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openvpn (Ubuntu)

Bug Description

Openvpn 2.4 was audited by OSTIF and QuarksLab

QuarksLab found:
○ 1 Critical/High Vulnerability CVE-2017-7478
○ 1 Medium Vulnerability CVE-2017-7479
○ 5 Low or Informational Vulnerabilities / Concerns

Openvpn 2.4.2 was published to address the noted issues.

Openvpn 2.4.2 Link:

Full report here:

CVE References

Tyler Hicks (tyhicks) on 2017-05-18
information type: Private Security → Public Security
Changed in openvpn (Ubuntu):
status: New → Fix Released
Tyler Hicks (tyhicks) wrote :

Hi Jeff - Thanks for the bug report! We've released an update for these issues in Ubuntu 17.04, which is the only stable Ubuntu release that CVE-2017-7478 affected. CVE-2017-7479 also affects all stable Ubuntu releases before 17.04 but we rated it as a 'low' and, therefore, we won't release security updates unless a higher severity issue is found in openvpn. This is to reduce the chance of regression in an update that only addresses a low impact security issue.

We published an Ubuntu Security Notice for the Ubuntu 17.04 update:

We also tweeted about it:

I hope you'll find one of those information feeds helpful.

Jeff (jdferron) wrote :

Thanks Tyler!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers