From URL, "OpenVPN 2.1 up to v2.4.11 and v2.5.5 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
This issue is resolved in OpenVPN 2.4.12 and v2.5.6 where the OpenVPN server process will stop running with the following error message in the logs:
Exiting due to multiple authentication plug-ins performing deferred authentication. Only one authentication plug-in doing deferred auth is allowed. Ignoring the result and stopping now, the current authentication result is not to be trusted."
Please bump to 2.5.6.
The bug has been referenced in the following commit(s):
Author: Tomáš Mózes <firstname.lastname@example.org>
AuthorDate: 2022-04-19 22:41:00 +0000
Commit: Sam James <email@example.com>
CommitDate: 2022-04-23 01:22:45 +0000
net-vpn/openvpn: bump to 2.5.6
Signed-off-by: Tomáš Mózes <firstname.lastname@example.org>
Signed-off-by: Sam James <email@example.com>
net-vpn/openvpn/Manifest | 1 +
net-vpn/openvpn/openvpn-2.5.6.ebuild | 197 +++++++++++++++++++++++++++++++++++
2 files changed, 198 insertions(+)
Please stable when ready.