Project

General

Profile

Actions
Copy link

Bug #6473

closed

OpenVPN Client Export package - depends on vulnerable p7zip version (CVE-2016-2334, CVE-2016-2335)

Added by Kill Bill almost 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OpenVPN Client Export
Target version:
-
Start date:
06/09/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
All

Description

This depends on p7zip version vulnerable to heap-buffer-overflow (CVE-2016-2334) and out-of-bounds read (CVE-2016-2335) vulnerabilities; see http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html

OpenBSD patches for 15.14: http://marc.info/?l=openbsd-ports&m=146405545908474&w=2 (and this needs to go to FreeBSD p7zip port as well, cannot even see a bug open there.)

Actions
Copy link
 #1

Updated by Kill Bill over 7 years ago

Bump, this is still not fixed. Please, upgrade to 16.02.

Actions
Copy link
 #2

Updated by Jim Pingle over 7 years ago

  • Status changed from New to Rejected

Not vulnerable to those. It was patched in the ports tree by FreeBSD back in July.

: pkg info -x p7zip
p7zip-15.14_1

[...]15.14_1
Add patches for CVE-2016-2334 and CVE-2016-2335.
[...]

It is vulnerable to CVE-2016-9296 but the next time the ports tree is updated (which we're working on), it will pick up _2 which has the patch or 16.02, whichever ended up in the quarterly branch. Should be up soon, but this one can be closed.

See also: http://www.freshports.org/archivers/p7zip/

Actions
Copy link
 #3

Updated by Jim Pingle over 7 years ago

  • Status changed from Rejected to Resolved
Actions
Copy link

Also available in: Atom PDF