[SECURITY] [DLA 2992-1] openvpn security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 2992-1] openvpn security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Tue, 3 May 2022 14:18:13 +0200 (CEST)
Message-id: <[🔎] 20220503121813.6AA552A04DA@andromeda>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2992-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
May 03, 2022                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : openvpn
Version        : 2.4.0-6+deb9u4
CVE ID         : CVE-2017-12166 CVE-2020-11810 CVE-2020-15078 CVE-2022-0547

Several issues were discovered in OpenVPN, a Virtual Private Network server
and client, that could lead to authentication bypass when using deferred
auth plugins.

Note that this upload disables support for multiple deferred auth plugins,
following the upstream fix for CVE-2022-0547.

For Debian 9 stretch, these problems have been fixed in version
2.4.0-6+deb9u4.

We recommend that you upgrade your openvpn packages.

For the detailed security status of openvpn please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openvpn

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmJxHYUACgkQnUbEiOQ2
gwKXKBAAownXxFKWGfheCVAT4cqhawgv6jaj8Lv8BvTEOxaqXf+bKl3stibEQA4G
Ret3lV3MM6qthjaURsvtCv5nDH4wU2lgUBCWnbBTAyV2LKyv1yoA0yLOfGiighCR
3+SJwQNj7xv4I4h/ljAClZ4fg/iESBGEzg5hq9qgfJ+tQe71oD86/xMqcdp7GUkE
glaFkoGTSTPD5KzwY+iW52Zn+rjLZoNBwV+gJCSkB1UHxLINQV6IoIaJPlIY4qSg
2U8sVIbr4zmeKCrSzKdGxzYmNEbtp0MjgoFzwo8Xu01Gw7RHcsGNdgzzSD5Dfc4Y
zD2pdZqjSawr6TE0JNV4CEroocGR+FkFDoQVCP1RWWMbc9o30Y+NWQu+/VVkwHMs
lzjcKSUNJ8GfnE+tsA3UbxvffVJcpAvd8a8m4OFU0r0z8Opfo4l4tgNc5IwAzkxS
BVPGG7V870u8/6N/AtrYMjniDQ+EG/rlWphCFi/qv5LhzfZCM8oIRNIFGUQte4s1
GKgvlwxzakRLWgIov9KzeOrgj0WD7nHZeTqDTFntC7rgENwTlvc1Blksc0f5nq4k
jE9/PiL+S91rp99Q/4mzSYrRLKHk5Kd+OwNNkURIo0J7atxVP1n/LgA/rojfM+T9
puvNz9usFzlNEnVbKDXDAq6Ki5l8fgDEIYl0sUHcEF/4EKRSKCY=
=tmEZ
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2990-1] jackson-databind security update
Next by Date: [SECURITY] [DLA 2991-1] twisted security update
Previous by thread: [SECURITY] [DLA 2990-1] jackson-databind security update
Next by thread: [SECURITY] [DLA 2991-1] twisted security update
Index(es):
- Date
- Thread