Headline
CVE-2023-46849
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
Related news
Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.
Ubuntu Security Notice 6484-1 - It was discovered that OpenVPN incorrectly handled the --fragment option in certain configurations. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. It was discovered that OpenVPN incorrectly handled certain memory operations. A remote attacker could use this issue to cause OpenVPN to crash, obtain sensitive information, or possibly execute arbitrary code.
Debian Linux Security Advisory 5555-1 - Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.