Candidate: CVE-2017-7522
PublicDate: 2017-06-27 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7522
 https://community.openvpn.net/openvpn/wiki/VulnerabilitiesFixedInOpenVPN243
 http://www.openwall.com/lists/oss-security/2017/06/21/6
Description:
 OpenVPN versions before 2.4.3 and before 2.3.17 are vulnerable to
 denial-of-service by authenticated remote attacker via sending a
 certificate with an embedded NULL character.
Ubuntu-Description:
Notes:
 mdeslaur> introduced in 2.4
 mdeslaur> in Debian/Ubuntu, package is built with openssl
Bugs:
Priority: medium
Discovered-by: Guido Vranken
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H [6.5 MEDIUM]

Patches_openvpn:
 upstream: https://github.com/OpenVPN/openvpn/commit/426392940c
 upstream: https://github.com/OpenVPN/openvpn/commit/67edada0be (2.4)
upstream_openvpn: released (2.4.3, 2.3.17)
precise/esm_openvpn: not-affected
trusty_openvpn: not-affected (2.3.2-7ubuntu3.1)
trusty/esm_openvpn: not-affected (2.3.2-7ubuntu3.1)
vivid/ubuntu-core_openvpn: DNE
xenial_openvpn: not-affected (2.3.10-1ubuntu2)
esm-infra/xenial_openvpn: not-affected (2.3.10-1ubuntu2)
yakkety_openvpn: not-affected (2.3.11-1ubuntu2)
zesty_openvpn: not-affected (code not compiled)
devel_openvpn: not-affected (code not compiled)