CVE-2017-7478

NameCVE-2017-7478
DescriptionOpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of Service of server via received large control packet. Note that this issue is fixed in 2.3.15 and 2.4.2.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openvpn (PTS)bullseye2.5.1-3fixed
bookworm, bookworm (security)2.6.3-1+deb12u2fixed
sid, trixie2.6.12-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openvpnsourcewheezy(not affected)
openvpnsourcejessie(not affected)
openvpnsource(unstable)2.4.0-5

Notes

[jessie] - openvpn <not-affected> (Vulnerable code introduced later)
[wheezy] - openvpn <not-affected> (Vulnerable code introduced later)
https://github.com/OpenVPN/openvpn/commit/5774cf4c25e1d8bf4e544702db8f157f111c9d93 (master)
https://github.com/OpenVPN/openvpn/commit/66b99a0753352c5cc43e11e39835b6423112df98 (2.4.x)
https://github.com/OpenVPN/openvpn/commit/feb35ee5cac605edddd6e9dc62941e2c53f96fb3 (2.3.x)
Introduced in: https://github.com/OpenVPN/openvpn/commit/3c1b19e04745177185decd14da82c71458442b82 (2.4.0)
Introduced in (backported to 2.3.12): https://github.com/OpenVPN/openvpn/commit/358f513c008bf01fadb82759ac75ffb8613fc785
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Search for package or bug name: Reporting problems