UbuntuUpdates.org

Package "openvpn"

Name: openvpn

Description:

virtual private network daemon

Latest version: 2.5.1-1ubuntu1.1
Release: hirsute (21.04)
Level: security
Repository: main
Homepage: https://openvpn.net/

Links


Download "openvpn"


Other versions of "openvpn" in Hirsute

Repository Area Version
base main 2.5.1-1ubuntu1
updates main 2.5.1-1ubuntu1.1

Changelog

Version: 2.5.1-1ubuntu1.1 2021-05-04 13:06:25 UTC

  openvpn (2.5.1-1ubuntu1.1) hirsute-security; urgency=medium

  * SECURITY UPDATE: Authentication bypass with deferred authentication
    - debian/patches/CVE-2020-15078-pre1.patch: move context_auth from
      context_2 to tls_multi and name it multi_state in
      src/openvpn/forward.c, src/openvpn/multi.c, src/openvpn/openvpn.h,
      src/openvpn/push.c, src/openvpn/ssl_common.h.
    - debian/patches/CVE-2020-15078-pre2.patch: fix condition to generate
      session keys in src/openvpn/ssl.c.
    - debian/patches/CVE-2020-15078-1.patch: move auth_token_state from
      multi to key_state in src/openvpn/auth_token.c,
      src/openvpn/ssl_common.h, src/openvpn/ssl_verify.c,
      tests/unit_tests/openvpn/test_auth_token.c.
    - debian/patches/CVE-2020-15078-2.patch: ensure auth-token is only sent
      on a fully authenticated session in src/openvpn/ssl_verify.c.
    - debian/patches/CVE-2020-15078-3.patch: ensure key state is
      authenticated before sending push reply in src/openvpn/push.c.
    - CVE-2020-15078

 -- Marc Deslauriers <email address hidden> Tue, 27 Apr 2021 10:03:40 -0400

CVE-2020-15078 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with defe



About   -   Send Feedback to @ubuntu_updates