Explore top 10 tips to secure your open-source projects now. Read More
×Several security issues were fixed in OpenVPN.. ========================================================================== Ubuntu Security Notice USN-8540-1 July 14, 2026 openvpn vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 26.04 LTS - Ubuntu 24.04 LTS - Ubuntu 22.04 LTS Summary: Several security issues were fixed in OpenVPN. Software Description: - openvpn: virtual private network software Details: It was discovered that OpenVPN had a 1-byte buffer overrun when handling NTLMv2 proxy responses. An attacker could use this issue to cause a denial of service or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-11771) It was discovered that OpenVPN incorrectly handled metadata when extracting tls-crypt-v2 client keys. An attacker could possibly use this issue to obtain sensitive information. (CVE-2026-12932) It was discovered that OpenVPN had a use-after-free in the ack_write_buf handling. An attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2026-12996) It was discovered that OpenVPN had a use-after-free in the tls_wrap_reneg handling. An attacker could use this issue to cause OpenVPN to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13117) It was discovered that OpenVPN incorrectly validated authentication tokens when external authentication was enabled. A remote attacker could possibly use this issue to cause OpenVPN to crash, resulting in a denial of service. This issue only affected Ubuntu 24.04 LTS and Ubuntu 26.04 LTS. (CVE-2026-13122) It was discovered that OpenVPN had a memory leak when handling tls-crypt-v2 client keys. A remote attacker with a valid tls-crypt-v2 client key could possibly use this issue to cause OpenVPN to consumeexcessive resources, leading to a denial of service. (CVE-2026-13698) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 26.04 LTS openvpn 2.7.0-1ubuntu1.2 Ubuntu 24.04 LTS openvpn 2.6.19-0ubuntu0.24.04.3 Ubuntu 22.04 LTS openvpn 2.5.11-0ubuntu0.22.04.4 After a standard system update you need to restart OpenVPN to make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8540-1 CVE-2026-11771, CVE-2026-12932, CVE-2026-12996, CVE-2026-13117, CVE-2026-13122, CVE-2026-13698 Package Information: https://launchpad.net/ubuntu/+source/openvpn/2.7.0-1ubuntu1.2 https://launchpad.net/ubuntu/+source/openvpn/2.6.19-0ubuntu0.24.04.3 https://launchpad.net/ubuntu/+source/openvpn/2.5.11-0ubuntu0.22.04.4 . OpenVPN fixes critical security issues in Ubuntu with potential code execution and denial of service risks. Prompt updates are advisable.. OpenVPN security update, Ubuntu vulnerability fix, critical advisory 2026, denial of service risk. . Severity: Critical. LinuxSecurity.com Team
A regression has been discovered in the latest release of openvpn 2.5.1-3+deb11u3. The fix adressing CVE-2026-40215 contained a bug which could lead to segmentation faults. Furthermore, the function backported for the fix has recently been disovered to be vulnerable to CVE-2026- 12996.. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4653-2
Update to upstream 2.6.21 release. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-89f19dcfa6 2026-07-04 01:06:18.979287+00:00 -------------------------------------------------------------------------------- Name : openvpn Product : Fedora 43 Version : 2.6.21 Release : 1.fc43 URL : https://community.openvpn.net/ Summary : A full-featured TLS VPN solution Description : OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. -------------------------------------------------------------------------------- Update Information: Update to upstream 2.6.21 release -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Frank Lichtenheld - 2.6.21-1 - Update to upstream OpenVPN 2.6.21 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-89f19dcfa6' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Update to upstream 2.7.5 release. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-117dbc031b 2026-07-04 00:49:17.194881+00:00 -------------------------------------------------------------------------------- Name : openvpn Product : Fedora 44 Version : 2.7.5 Release : 1.fc44 URL : https://community.openvpn.net/ Summary : A full-featured TLS VPN solution Description : OpenVPN is a robust and highly flexible tunneling application that uses all of the encryption, authentication, and certification features of the OpenSSL library to securely tunnel IP networks over a single UDP or TCP port. It can use the Marcus Franz Xaver Johannes Oberhumers LZO library for compression. -------------------------------------------------------------------------------- Update Information: Update to upstream 2.7.5 release -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 1 2026 Frank Lichtenheld - 2.7.5-1 - Update to upstream 2.7.5 release * Fri Jun 12 2026 Yaakov Selkowitz - 2.7.4-2 - Rebuilt for openssl 4.0 * Thu Apr 30 2026 Frank Lichtenheld - 2.7.4 - Update to upstream 2.7.4 release -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-117dbc031b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Multiple security vulnerabilities were discovered in OpenVPN, which could result in denial of service. For Debian 12 bookworm, these problems have been fixed in version 2.6.14-0+deb12u2. We recommend that you upgrade your openvpn packages.. Debian LTS Advisory DLA-4666-1
Multiple security vulnerabilities were discovered in OpenVPN, which could result in denial of service. For the stable distribution (trixie), these problems have been fixed in version 2.6.14-1+deb13u3. We recommend that you upgrade your openvpn packages.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6376-1
Two security vulnerabilities were discovered in OpenVPN, a virtual private network application. CVE-2026-35058 Improper validation of packet length during tls-crypt-v2 key extraction allows authenticated attackers to trigger a fatal. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4653-1
Two security vulnerabilities were discovered in OpenVPN, which could result in denial of service or a leak of packet data from a previous handshake. For the oldstable distribution (bookworm), these problems have been fixed in version 2.6.14-0+deb12u1.. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6289-1
Get the latest Linux and open source security news straight to your inbox.