Source: openvpn Version: 2.6.3-2.1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerabilities were published for openvpn. CVE-2023-46849[0]: | Using the --fragment option in certain configuration setups OpenVPN | version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by | zero behaviour which could cause an application crash, leading to a | denial of service. CVE-2023-46850[1]: | Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to | undefined behavoir, leaking memory buffers or remote execution when | sending network buffers to a remote peer. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-46849 https://www.cve.org/CVERecord?id=CVE-2023-46849 [1] https://security-tracker.debian.org/tracker/CVE-2023-46850 https://www.cve.org/CVERecord?id=CVE-2023-46850 [2] https://community.openvpn.net/openvpn/wiki/CVE-2023-46849 [3] https://community.openvpn.net/openvpn/wiki/CVE-2023-46850 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
