Security
Headlines
HeadlinesLatestCVEs

Headline

Gentoo Linux Security Advisory 202409-08

Gentoo Linux Security Advisory 202409-8 - Multiple vulnerabilities have been discovered in OpenVPN, the worst of which could lead to information disclosure. Versions greater than or equal to 2.6.7 are affected.

Packet Storm
#vulnerability#web#mac#linux#ssl

Gentoo Linux Security Advisory GLSA 202409-08


                                       https://security.gentoo.org/  

Severity: Normal
Title: OpenVPN: Multiple Vulnerabilities
Date: September 22, 2024
Bugs: #835514, #917272
ID: 202409-08


Synopsis

Multiple vulnerabilities have been discovered in OpenVPN, the worst of
which could lead to information disclosure.

Background

OpenVPN is a multi-platform, full-featured SSL VPN solution.

Affected packages

Package Vulnerable Unaffected


net-vpn/openvpn < 2.6.7 >= 2.6.7

Description

Multiple vulnerabilities have been discovered in OpenVPN. Please review
the CVE identifiers referenced below for details.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All OpenVPN users should upgrade to the latest version:

emerge --sync

emerge --ask --oneshot --verbose “>=net-vpn/openvpn-2.6.7”

References

[ 1 ] CVE-2022-0547
https://nvd.nist.gov/vuln/detail/CVE-2022-0547
[ 2 ] CVE-2023-46849
https://nvd.nist.gov/vuln/detail/CVE-2023-46849
[ 3 ] CVE-2023-46850
https://nvd.nist.gov/vuln/detail/CVE-2023-46850

Availability

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

https://security.gentoo.org/glsa/202409-08

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users’ machines is of utmost
importance to us. Any security concerns should be addressed to
[email protected] or alternatively, you may file a bug at
https://bugs.gentoo.org.

License

Copyright 2024 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Related news

Ubuntu Security Notice USN-6850-1

Ubuntu Security Notice 6850-1 - It was discovered that OpenVPN incorrectly handled certain configurations with multiple authentication plugins. A remote attacker could possibly use this issue to bypass authentication using incomplete credentials.

Ubuntu Security Notice USN-6484-1

Ubuntu Security Notice 6484-1 - It was discovered that OpenVPN incorrectly handled the --fragment option in certain configurations. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. It was discovered that OpenVPN incorrectly handled certain memory operations. A remote attacker could use this issue to cause OpenVPN to crash, obtain sensitive information, or possibly execute arbitrary code.

Ubuntu Security Notice USN-6484-1

Ubuntu Security Notice 6484-1 - It was discovered that OpenVPN incorrectly handled the --fragment option in certain configurations. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. It was discovered that OpenVPN incorrectly handled certain memory operations. A remote attacker could use this issue to cause OpenVPN to crash, obtain sensitive information, or possibly execute arbitrary code.

Debian Security Advisory 5555-1

Debian Linux Security Advisory 5555-1 - Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.

Debian Security Advisory 5555-1

Debian Linux Security Advisory 5555-1 - Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in memory disclosure or denial of service.

CVE-2023-46849

Using the --fragment option in certain configuration setups OpenVPN version 2.6.0 to 2.6.6 allows an attacker to trigger a divide by zero behaviour which could cause an application crash, leading to a denial of service.

CVE-2023-46850

Use after free in OpenVPN version 2.6.0 to 2.6.6 may lead to undefined behavoir, leaking memory buffers or remote execution when sending network buffers to a remote peer.

CVE-2022-0547

OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution