Security

• CVE-2017-7522: Fix --x509-track post-authentication remote DoS A client could crash a 2.4+ mbedtls server, if that server uses the --x509-track option and the client has a correct, signed and unrevoked certificate that contains an embedded NUL in the certificate subject.
• CVE-2017-7521: Fix post-authentication remote-triggerable memory leaks A client could cause a server to leak a few bytes each time it connects to the server. That can eventuall cause the server to run out of memory, and thereby causing the server process to terminate.
• CVE-2017-7521: Fix a potential post-authentication remote code execution attack on servers that use the --x509-username-field option with an X.509 extension field (option argument prefixed with ext:). A client that can cause a server to run out-of-memory (see above) might be able to cause the server to double free, which in turn might lead to remote code execution.
• CVE-2017-7520: Pre-authentication remote crash/information disclosure for clients. If clients use a HTTP proxy with NTLM authentication (i.e. --http-proxy <server> <port> [<authfile>|'auto'|'auto-nct'] ntlm2), a man-in-the-middle attacker between the client and the proxy can cause the client to crash or disclose at most 96 bytes of stack memory. The disclosed stack memory is likely to contain the proxy password. If the proxy password is not reused, this is unlikely to compromise the security of the OpenVPN tunnel itself. Clients who do not use the --http-proxy option with ntlm2 authentication are not affected.
• CVE-2017-7508: Fix remotely-triggerable ASSERT() on malformed IPv6 packet. This can be used to remotely shutdown an openvpn server or client, if IPv6 and --mssfix are enabled and the IPv6 networks used inside the VPN are known.
• Fix null-pointer dereference when talking to a malicious http proxy that returns a malformed Proxy-Authenticate: headers for digest auth.
• Fix overflow check for long --tls-cipher option

For new features, changes and bugfixes, please read the [full changelog)(https://github.com/OpenVPN/openvpn/blob/master/Changes.rst#version-243)

Signed-off-by: Pierre-Yves <pyu@riseup.net>

• Test Crypto:
  • sudo openvpn --genkey --secret key
  • sudo openvpn --test-crypto --secret key

• Test SSL/TLS negotiations:
  • sudo openvpn --config sample/sample-config-files/loopback-client (in terminal #1)
  • sudo openvpn --config sample/sample-config-files/loopback-server (simultaneously in terminal #2)