New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 738672 link

Starred by 1 user
Status: WontFix
Owner:
cernekee@chromium.org
Last visit > 30 days ago
Closed: Jul 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in net-vpn/openvpn

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Jul 1 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: net-vpn/openvpn
Package Version: [cpe:/a:openvpn:openvpn:2.4.2 cpe:/a:openvpn:openvpn:2.4.3]

Advisory: CVE-2017-7508
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7508
  CVSS severity score: 5/10.0
  Confidence: high
  Description:

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet.
Advisory: CVE-2017-7522
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-7522
  CVSS severity score: 4/10.0
  Confidence: high
  Description:

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character.

Comment 1 by dominickn@chromium.org, Jul 3 2017

Components: OS>Kernel
Owner: groeck@chromium.org
Status: Assigned (was: Untriaged)

Comment 2 by groeck@chromium.org, Jul 3 2017

Components: -OS>Kernel OS>Packages
Labels: -ComponentOSKernel
Owner: vapier@chromium.org
@vapier - if not you, please let me know who I should assign such bugs to.

Comment 3 by mnissler@chromium.org, Jul 3 2017

Owner: cernekee@chromium.org
cernekee@ has been handling OpenVPN issues in the past.

Comment 4 by mnissler@chromium.org, Jul 3 2017

Status: WontFix (was: Assigned)
We've already updated to 2.4.3 per https://chromium-review.googlesource.com/c/546856/

Closing.
Project Member

Comment 5 by sheriffbot@chromium.org, Oct 9 2017

Labels: -Restrict-View-SecurityTeam allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Sign in to add a comment