| Summary: | openvpn new security issue CVE-2020-15078 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, bruno, joequant, nicolas.salguero, ouaurelien, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA7TOO MGA8-64-OK MGA7-64-OK | ||
| Source RPM: | openvpn-2.5.0-2.mga8.src.rpm | CVE: | CVE-2020-15078 |
| Status comment: | |||
|
Description
David Walser
2021-05-29 00:57:40 CEST
David Walser
2021-05-29 00:57:52 CEST
Status comment:
(none) =>
Fixed upstream in 2.5.2 Unsure who to give this to, so assigning it globally. CC'd Joseph (who has done all the most recent updates), and Bruno (registered maintainer). CC:
(none) =>
bruno, joequant Fedora has issued an advisory for this on April 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/ The issue is also fixed in 2.4.11. Suggested advisory: ======================== The updated packages fix a security vulnerability: OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. (CVE-2020-15078) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15078 https://ubuntu.com/security/notices/USN-4933-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/ ======================== Updated packages in 7/core/updates_testing: ======================== openvpn-2.4.9-1.1.mga7 lib(64)openvpn-devel-2.4.9-1.1.mga7 from SRPM: openvpn-2.4.9-1.1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== openvpn-2.5.0-2.1.mga8 lib(64)openvpn-devel-2.5.0-2.1.mga8 from SRPM: openvpn-2.5.0-2.1.mga8.src.rpm CVE:
(none) =>
CVE-2020-15078 MGA-64 - xfce - phys hardware The following 4 packages are going to be installed: - lib64pkcs11-helper1-1.27.0-1.mga8.x86_64 - libobjc4-10.3.0-1.mga8.x86_64 - openvpn-2.5.0-2.1.mga8.x86_64 - perl-Authen-PAM-0.160.0-25.mga8.x86_64 --- rebooted went through MCC and did some configuration then modified netconfig. Seems to be functional from my perspective. Whiteboard:
MGA7TOO =>
MGA7TOO MGA8-64-OK MGA7-64 The following 3 packages are going to be installed: - glibc-2.29-23.mga7.x86_64 - glibc-devel-2.29-23.mga7.x86_64 - openvpn-2.4.9-1.1.mga7.x86_64 Also installed dev package ------------ ran a couple of commands with openvpn # openvpn --show-ciphers The following ciphers and cipher modes are available for use with OpenVPN. Each cipher shown below may be use as a parameter to the --cipher option. The default key size is shown as well as whether or not it can be changed with the --keysize directive. Using a CBC or GCM mode is recommended. In static key mode only CBC mode is allowed. AES-128-CBC (128 bit key, 128 bit block) etc. etc. etc. it is responding. Whiteboard:
MGA7TOO MGA8-64-OK =>
MGA7TOO MGA8-64-OK MGA7-64-OK Validating. Advisory in Comment 3. Keywords:
(none) =>
validated_update
Aurelien Oudelet
2021-06-29 15:48:32 CEST
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0302.html Resolution:
(none) =>
FIXED |