[SECURITY] [DLA 4079-1] openvpn security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 4079-1] openvpn security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Sat, 8 Mar 2025 11:02:16 +0100
Message-id: <[🔎] Z8wVqIt6Z7zZv-a_@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-4079-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                        Aquila Macedo
March 08, 2025                                https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openvpn
Version        : 2.5.1-3+deb11u1
CVE ID         : CVE-2022-0547 CVE-2024-5594
Debian Bug     : 1008015 1074488 1086653

Two vulnerabilities were discovered in openvpn, a virtual private
network application which could result in authentication bypass or
data injection.

CVE-2022-0547

    OpenVPN may enable authentication bypass in external
    authentication plug-ins when more than one of them makes use of
    deferred authentication replies, which allows an external user to
    be granted access with only partially correct credentials.

CVE-2024-5594

    OpenVPN does not sanitize PUSH_REPLY messages properly which
    attackers can use to inject unexpected arbitrary data into
    third-party executables or plug-ins.

For Debian 11 bullseye, these problems have been fixed in version
2.5.1-3+deb11u1.

We recommend that you upgrade your openvpn packages.

For the detailed security status of openvpn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openvpn

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmfMFIEACgkQDTl9HeUl
XjC4mQ//e54CFzCMZfeaemZ0yke5aZEug3ezPmLwDcAxLQtnzarPOnEHZqxKdD+c
/f+AWG6X6CL6Gl/jCyy8K9MbNjphM1V+dZ7iiLArUi/IsEcaD0qLP81gr4CJQog6
kMK6dqUr2pPUShI99NVVNFZddzNp6NgfyQAO7Ktod4bxUEfPxa95r+jID2TRh4ls
dnNeIfgN59qp3ILJM8D3gwPxq4ldbGsSoIq8LKs66DDKRVcdeBFZFNEy/mwOaf5N
dPbvnh6aM8aLSi5dQCsr8Xge5Cxfmw6DMCr9JKUVaM05TbQRW0HZAmpJVPY9FICb
vL+y/YWzacusX5QB6SQhkWSnOlbsrleshMVAm9Ai1Pdug71Qb6Rin6UG3zEnolDI
2320AP+oM+/TZunptjuwHCRf2CWHbf2kigwYSIUdyUD6fZnUEzxUfeiyh3Cz7VVo
lxHWgBzXQtxVD3pGAqKqHWTsFz8bQOh8hBgcP6JplNBWjK0byEzDLdzMqSLcz1iE
pao0A+5nVrtX2RuoghG6I1uh7aEYrbPowc4DzqvQuADFqbZY0G2flMnbdY+vH1Pe
/kwsm64ooSwZc4/KYJl4gvfpvoeyTrFbRlp0hWmyo4PsWiNipFUpd2g3yc/qzTUi
b99YhrWr90DJOFb1vO8P7bWoRasgYFDwPTqoQ5vtOlAHYCjyBxA=
=Xo2U
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 4078-1] firefox-esr security update
Next by Date: [SECURITY] [DLA 4081-1] thunderbird security update
Previous by thread: [SECURITY] [DLA 4078-1] firefox-esr security update
Next by thread: [SECURITY] [DLA 4081-1] thunderbird security update
Index(es):
- Date
- Thread