CVE-2022-0547
OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.
CVE-2024-5594
OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.
For Debian 11 bullseye, these problems have been fixed in version
2.5.1-3+deb11u1.
We recommend that you upgrade your openvpn packages.
For the detailed security status of openvpn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/openvpn
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
Get the latest Linux and open source security news straight to your inbox.