Debian Long Term Support / LTS Security Information / 2017 / Security Information -- DLA-999-1 openvpn

Debian Security Advisory

DLA-999-1 openvpn -- LTS security update

Date Reported:

22 Jun 2017

Affected Packages:

openvpn

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2017-7520.

More information:

It was discovered that there were multiple out-of-bounds memory read vulnerabilities in openvpn, a popular virtual private network (VPN) daemon.

If clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker could cause the client to crash or disclose at most 96 bytes of stack memory, likely to contain the proxy password.

For Debian 7 Wheezy, this issue has been fixed in openvpn version 2.2.1-8+deb7u5.

We recommend that you upgrade your openvpn packages.