Headline
Ubuntu Security Notice USN-6484-1
Ubuntu Security Notice 6484-1 - It was discovered that OpenVPN incorrectly handled the --fragment option in certain configurations. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. It was discovered that OpenVPN incorrectly handled certain memory operations. A remote attacker could use this issue to cause OpenVPN to crash, obtain sensitive information, or possibly execute arbitrary code.
==========================================================================Ubuntu Security Notice USN-6484-1November 16, 2023openvpn vulnerabilities==========================================================================A security issue affects these releases of Ubuntu and its derivatives:- Ubuntu 23.10- Ubuntu 23.04Summary:Several security issues were fixed in OpenVPN.Software Description:- openvpn: virtual private network softwareDetails:It was discovered that OpenVPN incorrectly handled the --fragment optionin certain configurations. A remote attacker could possibly use this issueto cause OpenVPN to crash, resulting in a denial of service.(CVE-2023-46849)It was discovered that OpenVPN incorrectly handled certain memoryoperations. A remote attacker could use this issue to cause OpenVPN tocrash, obtain sensitive information, or possibly execute arbitrary code.(CVE-2023-46850)Update instructions:The problem can be corrected by updating your system to the followingpackage versions:Ubuntu 23.10: openvpn 2.6.5-0ubuntu1.1Ubuntu 23.04: openvpn 2.6.1-1ubuntu1.1In general, a standard system update will make all the necessary changes.References: https://ubuntu.com/security/notices/USN-6484-1 CVE-2023-46849, CVE-2023-46850Package Information: https://launchpad.net/ubuntu/+source/openvpn/2.6.5-0ubuntu1.1 https://launchpad.net/ubuntu/+source/openvpn/2.6.1-1ubuntu1.1Related news
Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.
Debian Linux Security Advisory 5555-1 - Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.
Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.
Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.