This affects both 2.4.x and 2.5.x. Fixed versions are 2.4.11 and 2.5.2 respectively. Here's the snippet from the announcement: The OpenVPN community project team is proud to release OpenVPN 2.5.2. It fixes two related security vulnerabilities (CVE-2020-15078) which under very specific circumstances allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with --auth-gen-token or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
ping
*** Bug 786423 has been marked as a duplicate of this bug. ***
Hi there, is there something I could do to help with this? The vulnerability has a public CVE and its impact is non-negligible for servers. For the future: is there something the openvpn developers can do to communicate *beforehand* that a release with a security fix is coming? This way gentoo maintainers can be prepared. I know other distros join a specific distribution list - but I am not sure if that's the case for gentoo. Thanks!
I will contact you via email.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0355870fe3eb0f5d105bca9404a21a34e5649256 commit 0355870fe3eb0f5d105bca9404a21a34e5649256 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-30 18:12:50 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-30 18:58:34 +0000 net-vpn/openvpn: bump to v2.5.2 Bug: https://bugs.gentoo.org/785115 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-vpn/openvpn/Manifest | 1 + net-vpn/openvpn/openvpn-2.5.2.ebuild | 174 +++++++++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+)
arm64 done
x86 done
ppc64 done
ppc done
amd64 done
arm done all arches done
Please cleanup.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a0f872033e85edb4868f76650fa205cd7d10bd07 commit a0f872033e85edb4868f76650fa205cd7d10bd07 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-05-24 01:16:04 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-05-24 01:19:18 +0000 net-vpn/openvpn: security cleanup Bug: https://bugs.gentoo.org/785115 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> net-vpn/openvpn/Manifest | 3 - net-vpn/openvpn/openvpn-2.4.9.ebuild | 170 ------------------------------- net-vpn/openvpn/openvpn-2.5.0-r1.ebuild | 169 ------------------------------- net-vpn/openvpn/openvpn-2.5.1-r1.ebuild | 171 -------------------------------- 4 files changed, 513 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202105-25 at https://security.gentoo.org/glsa/202105-25 by GLSA coordinator Thomas Deutschmann (whissi).
