ALAS-2017-852


Amazon Linux AMI Security Advisory: ALAS-2017-852
Advisory Release Date: 2017-07-06 22:56 Pacific
Severity: Important

Issue Overview:

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service when receiving malformed IPv6 packet. (CVE-2017-7508 )

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service by authenticated remote attacker via sending a certificate with an embedded NULL character. (CVE-2017-7522 )

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to remote denial-of-service due to memory exhaustion caused by memory leaks and double-free issue in extract_x509_extension(). (CVE-2017-7521 )

OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to denial-of-service and/or possibly sensitive memory leak triggered by man-in-the-middle attacker. (CVE-2017-7520 )


Affected Packages:

openvpn


Issue Correction:
Run yum update openvpn to update your system.

New Packages:
i686:
    openvpn-devel-2.4.3-1.19.amzn1.i686
    openvpn-debuginfo-2.4.3-1.19.amzn1.i686
    openvpn-2.4.3-1.19.amzn1.i686

src:
    openvpn-2.4.3-1.19.amzn1.src

x86_64:
    openvpn-2.4.3-1.19.amzn1.x86_64
    openvpn-debuginfo-2.4.3-1.19.amzn1.x86_64
    openvpn-devel-2.4.3-1.19.amzn1.x86_64