UbuntuUpdates.org

Package "openvpn"

Name: openvpn

Description:

virtual private network daemon

Latest version: 2.4.12-0ubuntu0.20.04.2
Release: focal (20.04)
Level: updates
Repository: main
Homepage: https://openvpn.net/

Links


Download "openvpn"


Other versions of "openvpn" in Focal

Repository Area Version
base main 2.4.7-1ubuntu2
security main 2.4.12-0ubuntu0.20.04.2

Changelog

Version: 2.4.12-0ubuntu0.20.04.2 2024-07-02 17:07:06 UTC

  openvpn (2.4.12-0ubuntu0.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: malicious peer can DoS or send garbage to logs
    - debian/patches/CVE-2024-5594.patch: properly handle null bytes and
      invalid characters in control messages in src/openvpn/buffer.*,
      src/openvpn/forward.c, tests/unit_tests/openvpn/test_buffer.c.
    - CVE-2024-5594

 -- Marc Deslauriers <email address hidden> Thu, 27 Jun 2024 15:09:17 -0400

Source diff to previous version

Version: 2.4.12-0ubuntu0.20.04.1 2023-11-30 18:07:10 UTC

  openvpn (2.4.12-0ubuntu0.20.04.1) focal; urgency=medium

  * New upstream releases 2.4.8-2.4.12 (LP: #2004676)
    - The version is being updated to the latest in 2.4.x rather than 2.6.x to
      avoid feature releases and focus on bug fixes
    - Updates:
      + Support compiling with OpenSSL 1.1 without deprecated APIs
      + Handle PSS padding in cryptoapicert (necessary for TLS >= 1.2)
      + Client will now announce the acceptable ciphers to the server
        (IV_CIPHER=...), so NCP cipher negotiation works better
    - Bug Fixes Include:
      + CVE-2020-11810
      + CVE-2020-15078
      + CVE-2022-0547
      + Fix "--mtu-disc maybe|yes"
      + Fix argv leaks in add_route() and add_route_ipv6()
      + Ensure the current common_name is in the environment for scripts
      + Apply connect-retry backoff only to one side of the connection for p2p
      + Fix PIN querying in systemd environments
      + Fix condition where a client's session could float to a new IP address
        that is not authorized
      + Fix combination of async push and NCP
      + Fix OpenSSL error stack handling of tls_ctx_add_extra_certs
      + Fix broken fragmentation logic when using NCP
      + Fix handling of 'route remote_host' for IPv6 transport case
      + Fix fatal error at switching remotes
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 for
        additional bug fixes and information
  * Remove patches fixed upstream:
    - fix-pkcs11-helper-hang.patch
    - increase-listen-backlog-queue-to-32.patch
      [Included in upstream release 2.4.8]
    - CVE-2020-11810.patch
      [Included in upstream release 2.4.9]
    - CVE-2020-15078.patch
      [Included in upstream release 2.4.11]
    - CVE-2022-0547.patch
      [Included in upstream release 2.4.12]
  * Add DEP-8 tests from later releases
    - d/t/server-setup-with-static-key: test the OpenVPN server side setup
      using a static key.
    - d/t/server-setup-with-ca: test the OpenVPN server side setup using a
      CA built with easy-rsa.
    - The tests match those seen in Jammy and later with the exception of
      checking for /sbin/ip commands instead of net_... commands

 -- Lena Voytek <email address hidden> Mon, 21 Aug 2023 11:08:59 -0700

Source diff to previous version
2004676 MRE Updates 2.5.8 / 2.4.11
CVE-2020-11810 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally
CVE-2020-15078 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with defe
CVE-2022-0547 OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of def

Version: 2.4.7-1ubuntu2.20.04.4 2022-03-24 15:06:32 UTC

  openvpn (2.4.7-1ubuntu2.20.04.4) focal-security; urgency=medium

  * SECURITY UPDATE: authentication bypass via multiple deferred
    authentication plug-ins
    - debian/patches/CVE-2022-0547.patch: disallow multiple deferred
      authentication plug-ins in doc/openvpn.8, src/openvpn/plugin.c.
    - CVE-2022-0547

 -- Marc Deslauriers <email address hidden> Tue, 22 Mar 2022 10:40:54 -0400

Source diff to previous version
CVE-2022-0547 OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of def

Version: 2.4.7-1ubuntu2.20.04.3 2021-08-04 15:06:22 UTC

  openvpn (2.4.7-1ubuntu2.20.04.3) focal; urgency=medium

  * d/p/increase-listen-backlog-queue-to-32.patch: Increase listen backlog queue
    to 32 (LP: #1934781)

 -- Athos Ribeiro <email address hidden> Mon, 19 Jul 2021 16:26:19 -0300

Source diff to previous version
1934781 TCP socket backlog set too low (\

Version: 2.4.7-1ubuntu2.20.04.2 2021-05-04 13:06:23 UTC

  openvpn (2.4.7-1ubuntu2.20.04.2) focal-security; urgency=medium

  * SECURITY UPDATE: data channel v2 packet injection
    - debian/patches/CVE-2020-11810.patch: fix illegal client float in
      src/openvpn/multi.c.
    - CVE-2020-11810
  * SECURITY UPDATE: Authentication bypass with deferred authentication
    - debian/patches/CVE-2020-15078.patch: ensure key state is
      authenticated before sending push reply in src/openvpn/push.c.
    - CVE-2020-15078

 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 10:51:26 -0400

CVE-2020-11810 An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally
CVE-2020-15078 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with defe



About   -   Send Feedback to @ubuntu_updates