Debian Security Advisory

DLA-999-1 openvpn -- LTS security update

Date Reported:
22 Jun 2017
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2017-7520.
More information:

It was discovered that there were multiple out-of-bounds memory read vulnerabilities in openvpn, a popular virtual private network (VPN) daemon.

If clients used a HTTP proxy with NTLM authentication, a man-in-the-middle attacker could cause the client to crash or disclose at most 96 bytes of stack memory, likely to contain the proxy password.

For Debian 7 Wheezy, this issue has been fixed in openvpn version 2.2.1-8+deb7u5.

We recommend that you upgrade your openvpn packages.