Arch Linux Security Advisory ASA-201512-19 ========================================== Severity: Low Date : 2015-12-28 CVE-ID : N/A Package : openvpn Type : out-of-bound error Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package openvpn before version 2.3.9-1 is vulnerable to an out-of-bound read. Resolution ========== Upgrade to 2.3.9-1. # pacman -Syu "openvpn>=2.3.9-1" The problem has been fixed upstream in version 2.3.9. Workaround ========== None. Description =========== The code always tried to copy-out a "struct sockaddr_in6" even for IPv4 results, which reads more bytes than getaddrinfo() is guaranteed to allocate. Impact ====== A remote attacker might be able to cause a denial of service (application crash) or access sensitive data. References ========== https://bugs.archlinux.org/task/47498 http://seclists.org/oss-sec/2015/q4/535 https://blog.fuzzing-project.org/32-Out-of-bounds-read-in-OpenVPN.html http://permalink.gmane.org/gmane.network.openvpn.devel/10479