CVE-2017-7521 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	A use-after-free has been found in OpenVPN < 2.4.3. The issue is caused by extract_x509_extension() not checking the return value of ASN1_STRING_to_UTF8(), and using then freeing a memory allocation that has already been freed if it failed. The issue requires the use of the --x509-alt-username option with an x509 extension, and is very unlikely to be triggered unless the remote peer can make the local process run out of memory.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-318	openvpn	2.4.2-1	2.4.3-1	Critical	Fixed

Date	Advisory	Group	Package	Severity	Type
22 Jun 2017	ASA-201706-27	AVG-318	openvpn	Critical	multiple issues

References
https://github.com/OpenVPN/openvpn/commit/cb4e35ece4 https://github.com/OpenVPN/openvpn/commit/2d032c7fcd