ELA-1519-1 openvpn security update

data injection

2025-09-20
Packageopenvpn
Version2.4.0-6+deb9u5 (stretch)
Related CVEs CVE-2024-5594


A vulnerability was discovered in openvpn, a virtual private network application which could result in data injection.

CVE-2024-5594

OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.


For Debian 9 stretch, these problems have been fixed in version 2.4.0-6+deb9u5.

We recommend that you upgrade your openvpn packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.