Debian Security Advisory
DLA-999-1 openvpn -- LTS security update
- Date Reported:
- 22 Jun 2017
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2017-7520.
- More information:
It was discovered that there were multiple out-of-bounds memory read vulnerabilities in openvpn, a popular virtual private network (VPN) daemon.
If clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker could cause the client to crash or disclose at most 96 bytes of stack memory, likely to contain the proxy password.
For Debian 7
Wheezy, this issue has been fixed in openvpn version 2.2.1-8+deb7u5.
We recommend that you upgrade your openvpn packages.