UbuntuUpdates.org

Package "openvpn"

Name: openvpn

Description:

virtual private network daemon
Latest version: 2.6.12-0ubuntu0.24.04.1
Release: noble (24.04)
Level: updates
Repository: main
Homepage: https://openvpn.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "openvpn"

32-bit deb package
64-bit deb package
APT INSTALL

Other versions of "openvpn" in Noble

Repository Area Version
base main 2.6.9-1ubuntu4
security main 2.6.9-1ubuntu4.1

Changelog

Version: 2.6.12-0ubuntu0.24.04.1 2024-10-10 21:07:20 UTC

  openvpn (2.6.12-0ubuntu0.24.04.1) noble; urgency=medium

  * New upstream release 2.6.12 (LP: #2073318):
    - CVE Fixes:
      + CVE-2024-4877, CVE-2024-5594, CVE-2024-28882, CVE-2024-27459,
        CVE-2024-24974, CVE-2024-27903
    - Updates:
      + Allow trailing \r and \n in control channel message
      + Implement --server-poll-timeout on SOCKS proxies
      + Implement Windows CA template match for Crypto-API selector
      + Update sample configuration files
      + Update systemd unit file documentation references
    - Bug Fixes Include:
      + Fix issue with proxy credentials caching
      + Fix LibreSSL crashing when enumerating digests/cipher with workaround
      + Use snprintf instead of sprintf for get_ssl_library_version
      + Fix disabling DCO when proxy is set via management interface
      + See https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn26 for
        additional bug fixes and information
  * Remove patches fixed upstream:
    - d/p/systemd.patch
    [Fixed in 2.6.10]
    - d/p/CVE-2024-28882.patch
    - d/p/CVE-2024-5594.patch
    [Fixed in 2.6.11]

 -- Lena Voytek <email address hidden> Tue, 17 Sep 2024 10:27:52 -0700
Source diff to previous version
2073318 Backport of openvpn for jammy and noble
CVE-2024-28882 OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a
CVE-2024-27459 The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary
CVE-2024-24974 The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely, which allows a remote attacker to inter
CVE-2024-27903 OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory, which allows an attacker to load an arbitrary plug-in

Version: 2.6.9-1ubuntu4.1 2024-07-02 17:07:09 UTC

  openvpn (2.6.9-1ubuntu4.1) noble-security; urgency=medium

  * SECURITY UPDATE: client can circumvent management client-kill
    - debian/patches/CVE-2024-28882.patch: only schedule_exit() once in
      src/openvpn/forward.*, src/openvpn/push.c.
    - CVE-2024-28882
  * SECURITY UPDATE: malicious peer can DoS or send garbage to logs
    - debian/patches/CVE-2024-5594.patch: properly handle null bytes and
      invalid characters in control messages in src/openvpn/buffer.*,
      src/openvpn/forward.c, tests/unit_tests/openvpn/test_buffer.c.
    - CVE-2024-5594

 -- Marc Deslauriers <email address hidden> Thu, 27 Jun 2024 14:21:42 -0400


About   -   Send Feedback to @ubuntu_updates