Multiple security issues were fixed in OpenVPN 2.4.3 and 2.3.17, specifically: CVE-2017-7508: Remotely-triggerable ASSERT() on malformed IPv6 packet https://github.com/OpenVPN/openvpn/commit/c3f47077a7 CVE-2017-7520: Pre-authentication remote crash/information disclosure for clients https://github.com/OpenVPN/openvpn/commit/7718c8984f CVE-2017-7521: Issues in extract_x509_extension() leading to server memory drain/crash/double-free https://github.com/OpenVPN/openvpn/commit/cb4e35ece4 https://github.com/OpenVPN/openvpn/commit/2d032c7fcd CVE-2017-7522: Post-authentication remote DoS when using the --x509-track option https://github.com/OpenVPN/openvpn/commit/426392940c External References: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243 https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/
Acknowledgments: Name: the OpenVPN project Upstream: Guido Vranken
Created openvpn tracking bugs for this issue: Affects: epel-all [bug 1463644] Affects: fedora-all [bug 1463643]
Statement: This issue does not affect Red Hat Enterprise Linux 5, 6 and 7 as OpenVPN is not included in any of Red Hat's supported products.