CVE-2017-7479

NameCVE-2017-7479
DescriptionOpenVPN versions before 2.3.15 and before 2.4.2 are vulnerable to reachable assertion when packet-ID counter rolls over resulting into Denial of Service of server by authenticated attacker.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-944-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openvpn (PTS)wheezy2.2.1-8+deb7u3vulnerable
wheezy (security)2.2.1-8+deb7u5fixed
jessie (security), jessie2.3.4-5+deb8u2fixed
stretch2.4.0-6+deb9u2fixed
stretch (security)2.4.0-6+deb9u1fixed
buster, sid2.4.3-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openvpnsource(unstable)2.4.0-5low
openvpnsourcejessie2.3.4-5+deb8u2medium
openvpnsourcewheezy2.2.1-8+deb7u4mediumDLA-944-1

Notes

https://github.com/OpenVPN/openvpn/commit/e498cb0ea8d3a451b39eaf6f9b6a7488f18250b8 (master)
https://github.com/OpenVPN/openvpn/commit/591a4e574c43cb9e820950f15dcaabda261def78 (2.4.x)
https://github.com/OpenVPN/openvpn/commit/b727643cdf4e078f132a90e1c474a879a5760578 (2.3.x)
https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg14643.html (3 patches for 2.2.x)
https://community.openvpn.net/openvpn/wiki/QuarkslabAndCryptographyEngineerAudits

Search for package or bug name: Reporting problems