CVE-2017-7478

Priority
High
Description
OpenVPN version 2.3.12 and newer is vulnerable to unauthenticated Denial of
Service of server via received large control packet. Note that this issue
is fixed in 2.3.15 and 2.4.2.
Ubuntu-Description
It was discovered that OpenVPN improperly triggered an assert when
receiving an oversized control packet. A remote attacker could use
this to cause a denial of service (server or client crash).
References
Bugs
Notes
 sbeattie> introduced in 3c1b19e04745177185decd14da82c71458442b82
 sbeattie> (2.4.0); also was backported to 2.3 in
 sbeattie> 358f513c008bf01fadb82759ac75ffb8613fc785 (2.3.12)
Assigned-to
sbeattie
Package
Upstream:released (2.4.0-5)
Ubuntu 17.10 (Artful Aardvark):not-affected (2.4.0-5ubuntu1)
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 LTS (Trusty Tahr):not-affected
Ubuntu Core 15.04:DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected
Ubuntu 17.04 (Zesty Zapus):released (2.4.0-4ubuntu1.2)
More Information

Updated: 2017-08-11 23:55:56 UTC (commit 13081)