Your message dated Sat, 11 Nov 2023 21:34:53 +0000 with message-id <e1r1vcz-002pn6...@fasolo.debian.org> and subject line Bug#1055805: fixed in openvpn 2.6.7-1 has caused the Debian Bug report #1055805, regarding openvpn: CVE-2023-46849 CVE-2023-46850 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055805: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055805 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: openvpn Version: 2.6.3-2.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Hi, The following vulnerabilities were published for openvpn. CVE-2023-46849[0]: | Using the --fragment option in certain configuration setups OpenVPN | version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by | zero behaviour which could cause an application crash, leading to a | denial of service. CVE-2023-46850[1]: | Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to | undefined behavoir, leaking memory buffers or remote execution when | sending network buffers to a remote peer. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46849 https://www.cve.org/CVERecord?id=CVE-2023-46849 [1] https://security-tracker.debian.org/tracker/CVE-2023-46850 https://www.cve.org/CVERecord?id=CVE-2023-46850 [2] https://community.openvpn.net/openvpn/wiki/CVE-2023-46849 [3] https://community.openvpn.net/openvpn/wiki/CVE-2023-46850 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: openvpn Source-Version: 2.6.7-1 Done: Bernhard Schmidt <be...@debian.org> We believe that the bug you reported is fixed in the latest version of openvpn, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1055...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Bernhard Schmidt <be...@debian.org> (supplier of updated openvpn package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 11 Nov 2023 22:01:15 +0100 Source: openvpn Architecture: source Version: 2.6.7-1 Distribution: unstable Urgency: medium Maintainer: Bernhard Schmidt <be...@debian.org> Changed-By: Bernhard Schmidt <be...@debian.org> Closes: 1033179 1055805 Changes: openvpn (2.6.7-1) unstable; urgency=medium . [ Aquila Macedo ] * d/control: bump debhelper-compat level to 13. * d/patches: Remove outdated patches * d/patches: fix typo in openvpn binary * d/patches: fix typo in manpages * d/copyright: Update license to BSD-2 * d/openvpn.service: add documentation . [ Bernhard Schmidt ] * New upstream version 2.6.7, fixing two CVEs (Closes: #1055805) - CVE-2023-46849: Use of --fragment option can lead to a division by zero error which can be fatal - CVE-2023-46850: Incorrect use of send buffer can cause memory to be sent to peer * Pick patch recommended by upstream in GH#449 to fix segfault introduced in 2.6.7 . [ Remus-Gabriel Chelu ] * Add Romanian templates translation (Closes: #1033179) Checksums-Sha1: 4604b76e4cb15c07d6f91bf3b369b9ee2089615c 2204 openvpn_2.6.7-1.dsc 30cb30daa8c5aaffdfe165e289fa5677fc8f703a 1895682 openvpn_2.6.7.orig.tar.gz c8688e3bd3f5277908a56875368c538ee07d5eda 61204 openvpn_2.6.7-1.debian.tar.xz 98deb470bda0c4ec7555ee44c9d3e9f580132e51 7928 openvpn_2.6.7-1_amd64.buildinfo Checksums-Sha256: 5762d51b8ae61616495828386dc3ec6e8a6671768e897142e58bc1f5a9143dab 2204 openvpn_2.6.7-1.dsc ee9877340b1d8de47eb5b52712c3366855fa6a4a1955bf950c68577bd2039913 1895682 openvpn_2.6.7.orig.tar.gz 16b77a6432c190303a5a89421a106da7b2fcf29f28533c3a766f491dae39e948 61204 openvpn_2.6.7-1.debian.tar.xz 1438225a73d4f4b04a4d4227f44b309a116d7ecc68bee00a299e712517c410fc 7928 openvpn_2.6.7-1_amd64.buildinfo Files: 93f2d46c3bec9b1c283219c1f46ed13f 2204 net optional openvpn_2.6.7-1.dsc a1909ee8f236e04e32f6975c16385adb 1895682 net optional openvpn_2.6.7.orig.tar.gz 9b518754b43adb9a90603f9b3bb802a5 61204 net optional openvpn_2.6.7-1.debian.tar.xz cb3a6b5a48fd1201c1af879cb672f0b6 7928 net optional openvpn_2.6.7-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE1uAexRal3873GVbTd1B55bhQvJMFAmVP7aIRHGJlcm5pQGRl Ymlhbi5vcmcACgkQd1B55bhQvJOzIA//VrtKdjSiZWMUW+auoPEWXn/2dow9JhV7 0stP7U0kFqL/iLi5D4RoKqhmBDKMXo/cMtLTZ6Rb2BpFM5MRdfBNMQGzJxfZURw7 f4T9r5714P6ZU1SdBPCKln32WI9zOtJEWCQyjNHjJhWvLxJ65QPOZyK6SMWV/koi rMJDQgDvgR+397Gr+yIP+9XCJJHWHVGJr5mxVwNgF15dKU3CLd8Hdqwah9agwrit VRObGL/rdr4dCC55uFovHR/gsP802jewOuAaHYa+rdhcJNmQp4O/5nhDbGKK3oON 5lfmt79HYGua6eowruQyyEbRg3io/bEAcKRGKPi9v1kLmp7a5DmjE+4DWb3Q4LJW 6WWJO93NfJDzaaswXGD/VpI9Ne677+5E+jniRZGl3gWw2tdwMF9hkcuIeBP9At9S UqodcuqOxX+FifsEeBG4dhSVrpZ+hynJAvhjV7zGGDpJGFW49bbEpI8rj59Y8yyL 69eFBxCGTUJvrCVZP/Y/9GuM4iVkfVJiLXZ/ORewAm6H7jz1ljZY7sPcObrH4/R2 Cp5D1KNJ1wK5Eix6yaHwfYmWrFh+5TsMSj1KTRg6sV4miW9h0V84P1GDS6yjfyCK /DIrSlOGzlLtjp5n4Fv4kfbxq0jULKs857ZjSQcfUFFYMrlGsCTmgnd88yXjcLWG kkr9hK8Mwjg= =+fLA -----END PGP SIGNATURE-----
--- End Message ---
