Alerts This Week
Warning Icon 1 1,394
Alerts This Week
Warning Icon 1 1,394

Debian LTS: DLA-4079-1 critical update on OpenVPN auth bypass issues

debian lts
Calendar Grey March 8, 2025
Dist Debian Esm H88
Ubuntu LTS Notification USN-5653-1 resolves multiple vulnerabilities in OpenSSH that could result in authentication bypass and arbitrary command execution.
Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in authentication bypass or data injection

Summary

CVE-2022-0547

OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

For Debian 11 bullseye, these problems have been fixed in version
2.5.1-3+deb11u1.

We recommend that you upgrade your openvpn packages.

For the detailed security status of openvpn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/openvpn

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Severity
critical
Lowest
Low
Medium
High
Critical

Package: openvpn
Version: 2.5.1-3+deb11u1
CVE ID: CVE-2022-0547 CVE-2024-5594
Debian Bug: 1008015 1074488 1086653

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here