Bug #6473
closedOpenVPN Client Export package - depends on vulnerable p7zip version (CVE-2016-2334, CVE-2016-2335)
0%
Description
This depends on p7zip version vulnerable to heap-buffer-overflow (CVE-2016-2334) and out-of-bounds read (CVE-2016-2335) vulnerabilities; see http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
OpenBSD patches for 15.14: http://marc.info/?l=openbsd-ports&m=146405545908474&w=2 (and this needs to go to FreeBSD p7zip port as well, cannot even see a bug open there.)
Updated by Kill Bill over 7 years ago
Bump, this is still not fixed. Please, upgrade to 16.02.
Updated by Jim Pingle over 7 years ago
- Status changed from New to Rejected
Not vulnerable to those. It was patched in the ports tree by FreeBSD back in July.
: pkg info -x p7zip p7zip-15.14_1
[...]15.14_1
Add patches for CVE-2016-2334 and CVE-2016-2335.
[...]
It is vulnerable to CVE-2016-9296 but the next time the ports tree is updated (which we're working on), it will pick up _2 which has the patch or 16.02, whichever ended up in the quarterly branch. Should be up soon, but this one can be closed.