Explore top 10 tips to secure your open-source projects now. Read More
×
Arch Linux Security Advisory ASA-201512-19 ========================================= Severity: Low Date : 2015-12-28 CVE-ID : N/A Package : openvpn Type : out-of-bound error Remote : Yes Link : https://wiki.archlinux.org/title/CVE Summary ====== The package openvpn before version 2.3.9-1 is vulnerable to an out-of-bound read. Resolution ========= Upgrade to 2.3.9-1. # pacman -Syu "openvpn>=2.3.9-1" The problem has been fixed upstream in version 2.3.9. Workaround ========= None. Description ========== The code always tried to copy-out a "struct sockaddr_in6" even for IPv4 results, which reads more bytes than getaddrinfo() is guaranteed to allocate. Impact ===== A remote attacker might be able to cause a denial of service (application crash) or access sensitive data. References ========= https://bugs.archlinux.org/task/47498 https://seclists.org/oss-sec/2015/q4/535 https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html