| Package | openvpn |
|---|---|
| Version | 2.4.7-1+deb10u2 (buster) |
| Related CVEs | CVE-2022-0547 CVE-2024-5594 |
Two vulnerabilities were discovered in openvpn, a virtual private network application which could result in authentication bypass or data injection.
CVE-2022-0547
OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.
CVE-2024-5594
OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.
For Debian 10 buster, these problems have been fixed in version 2.4.7-1+deb10u2.
We recommend that you upgrade your openvpn packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.