CVE-2017-7479

NameCVE-2017-7479
DescriptionOpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-944-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openvpn (PTS)buster2.4.7-1+deb10u1fixed
bullseye2.5.1-3fixed
bookworm, bookworm (security)2.6.3-1+deb12u2fixed
trixie2.6.7-1fixed
sid2.6.9-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openvpnsourcewheezy2.2.1-8+deb7u4DLA-944-1
openvpnsourcejessie2.3.4-5+deb8u2
openvpnsource(unstable)2.4.0-5low

Notes

https://github.com/OpenVPN/openvpn/commit/e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master)
https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4.x)
https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3.x)
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14643.html (3 patches for 2.2.x)
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Search for package or bug name: Reporting problems