[Secure-testing-commits] r52779 - data/CVE

Salvatore Bonaccorso carnil at moszumanska.debian.org
Wed Jun 21 12:27:09 UTC 2017 

Author: carnil
Date: 2017-06-21 12:27:09 +0000 (Wed, 21 Jun 2017)
New Revision: 52779

Modified:
   data/CVE/list
Log:
Add more references for openvpn issues

Modified: data/CVE/list
===================================================================
--- data/CVE/list	2017-06-21 12:18:08 UTC (rev 52778)
+++ data/CVE/list	2017-06-21 12:27:09 UTC (rev 52779)
@@ -6587,19 +6587,24 @@
 CVE-2017-7522 [Crash mbed TLS/PolarSSL-based server]
 	RESERVED
 	- openvpn <unfixed> (unimportant)
+	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/426392940c
+	NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6
 	NOTE: In Debian openvpn is compiled against OpenSSL, thus even affected
-	NOTE: code present
-CVE-2017-7521 [Remote server crashes/double-free/memory leaks in certificate processing]
+	NOTE: code present.
+CVE-2017-7521 [Potential double-free in --x509-alt-username and memory leaks]
 	RESERVED
 	- openvpn <unfixed>
+	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/cb4e35ece4
+	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/2d032c7fcd
+	NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6
-	TODO: check
-CVE-2017-7520 [Remote (including MITM) client crash, data leak]
+CVE-2017-7520 [Pre-authentication remote crash/information disclosure for clients]
 	RESERVED
 	- openvpn <unfixed>
+	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/7718c8984f
+	NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6
-	TODO: check
 CVE-2017-7519 [libradosstriper processes arbitrary printf placeholders in user input]
 	RESERVED
 	- ceph <unfixed> (bug #864535)
@@ -6633,11 +6638,12 @@
 CVE-2017-7509
 	RESERVED
 	NOT-FOR-US: Red Hat Certificate System
-CVE-2017-7508 [Remote server crash (forced assertion failure)]
+CVE-2017-7508 [Remotely-triggerable ASSERT() on malformed IPv6 packet]
 	RESERVED
 	- openvpn <unfixed>
 	NOTE: http://www.openwall.com/lists/oss-security/2017/06/21/6
-	TODO: check
+	NOTE: https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
+	NOTE: Fixed by: https://github.com/OpenVPN/openvpn/commit/c3f47077a7
 CVE-2017-7507 (GnuTLS version 3.5.12 and earlier is vulnerable to a NULL pointer ...)
 	{DSA-3884-1}
 	[experimental] - gnutls28 3.5.13-1

More information about the Secure-testing-commits mailing list