New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 774436 link

Starred by 1 user
Status: Fixed
Owner:
cernekee@chromium.org
Last visit > 30 days ago
Closed: Oct 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security



Sign in to add a comment

CrOS: Vulnerability reported in net-vpn/openvpn

Project Member Reported by vomit.go...@appspot.gserviceaccount.com, Oct 13 2017 
Automated analysis has detected that the following third party packages have had vulnerabilities publicly reported. 

NOTE: There may be several bugs listed below - in almost all cases, all bugs can be quickly addressed by upgrading to the latest version of the package.

Package Name: net-vpn/openvpn
Package Version: [cpe:/a:openvpn:openvpn:2.4.3]

Advisory: CVE-2017-12166
  Details: https://vomit.googleplex.com/advisory?id=CVE/CVE-2017-12166
  CVSS severity score: 6.8/10.0
  Confidence: high
  Description:

OpenVPN versions before 2.3.3 and 2.4.x before 2.4.4 are vulnerable to a buffer overflow vulnerability when key-method 1 is used, possibly resulting in code execution.

Comment 1 by kerrnel@chromium.org, Oct 13 2017

Components: OS>Packages
Labels: -Pri-2 Security_Severity-High Security_Impact-Stable Pri-1
Owner: cernekee@chromium.org
Status: Assigned (was: Untriaged)
Kevin, are you able to upgrade this package?

Comment 2 by kerrnel@chromium.org, Oct 13 2017 

 Issue 774435  has been merged into this issue.

Comment 3 by kerrnel@chromium.org, Oct 13 2017

Labels: M-61
Project Member

Comment 4 by sheriffbot@chromium.org, Oct 18 2017

Labels: -M-61 M-62
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 18 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/fa684c6c22fa23c100a41be38991f44bfaa7fce4

commit fa684c6c22fa23c100a41be38991f44bfaa7fce4
Author: Kevin Cernekee <cernekee@chromium.org>
Date: Wed Oct 18 15:30:15 2017

net-vpn/openvpn: Upgrade to v2.4.4 from upstream

This is a minor bugfix release.

BUG= chromium:774436 
TEST=manually connect to openvpn server

Change-Id: Iff6f801846936bf7afa86210083f0942d49184b6
Reviewed-on: https://chromium-review.googlesource.com/724112
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>

[modify] https://crrev.com/fa684c6c22fa23c100a41be38991f44bfaa7fce4/net-vpn/openvpn/metadata.xml
[rename] https://crrev.com/fa684c6c22fa23c100a41be38991f44bfaa7fce4/net-vpn/openvpn/openvpn-2.4.4.ebuild
[delete] https://crrev.com/e120a5dfa658e3bd97889f8974646f6be696a362/net-vpn/openvpn/openvpn-2.4.3-r1.ebuild
[modify] https://crrev.com/fa684c6c22fa23c100a41be38991f44bfaa7fce4/net-vpn/openvpn/Manifest

Comment 6 by cernekee@chromium.org, Oct 18 2017

Status: Fixed (was: Assigned)
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 19 2017

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 27 2017

Labels: Merge-Request-63
Project Member

Comment 9 by sheriffbot@chromium.org, Oct 27 2017

Labels: -Merge-Request-63 Merge-Review-63 Hotlist-Merge-Review
This bug requires manual review: M63 has already been promoted to the beta branch, so this requires manual review
Please contact the milestone owner if you have questions.
Owners: cmasso@(Android), cmasso@(iOS), gkihumba@(ChromeOS), govind@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 10 by awhalley@chromium.org, Nov 6 2017

Labels: Release-0-M62

Comment 11 by gkihumba@google.com, Nov 14 2017

Labels: -Hotlist-Merge-Review -Merge-Review-63 Merge-Approved-63

Comment 12 by cernekee@chromium.org, Nov 14 2017

Labels: -Merge-Approved-63
Project Member

Comment 13 by bugdroid1@chromium.org, Nov 14 2017

Labels: merge-merged-release-R63-10032.B
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/71b812e309ab20c6d5354064620f1e051d70b8ab

commit 71b812e309ab20c6d5354064620f1e051d70b8ab
Author: Kevin Cernekee <cernekee@chromium.org>
Date: Tue Nov 14 23:37:13 2017

net-vpn/openvpn: Upgrade to v2.4.4 from upstream

This is a minor bugfix release.

BUG= chromium:774436 
TEST=manually connect to openvpn server

Change-Id: Iff6f801846936bf7afa86210083f0942d49184b6
Reviewed-on: https://chromium-review.googlesource.com/724112
Commit-Ready: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Mattias Nissler <mnissler@chromium.org>
(cherry picked from commit fa684c6c22fa23c100a41be38991f44bfaa7fce4)
Reviewed-on: https://chromium-review.googlesource.com/770150
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>

[modify] https://crrev.com/71b812e309ab20c6d5354064620f1e051d70b8ab/net-vpn/openvpn/metadata.xml
[rename] https://crrev.com/71b812e309ab20c6d5354064620f1e051d70b8ab/net-vpn/openvpn/openvpn-2.4.4.ebuild
[delete] https://crrev.com/a9f8e92043ad52471294f2b41da60426fba8ae5e/net-vpn/openvpn/openvpn-2.4.3-r1.ebuild
[modify] https://crrev.com/71b812e309ab20c6d5354064620f1e051d70b8ab/net-vpn/openvpn/Manifest
Project Member

Comment 14 by sheriffbot@chromium.org, Jan 27 2018

Labels: -Restrict-View-SecurityNotify allpublic
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 15 by cernekee@chromium.org, Feb 9 2018 

 Issue 726674  has been merged into this issue.
Project Member

Comment 16 by sheriffbot@chromium.org, Mar 27 2018

Labels: -M-62 M-65

Sign in to add a comment