Bug 33336

Summary: openvpn new security issue CVE-2024-5594
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, sysadmin-bugs
Version: 9Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA9-64-OK
Source RPM: openvpn-2.5.9-1.mga9.src.rpm CVE: CVE-2024-5594
Status comment:

Description Nicolas Salguero 2024-06-27 15:31:32 CEST 
Fedora has issued an advisory on June 27:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G2MRELY2ZT6N3PIJHLUCNPCY5GA5EDDU/

The problem is fixed in version 2.6.11.

Mageia 9 is also affected.
Nicolas Salguero 2024-06-27 15:32:14 CEST

CVE: (none) => CVE-2024-5594, CVE-2024-28882
Status comment: (none) => Fixed upstream in 2.6.11
Whiteboard: (none) => MGA9TOO
Source RPM: (none) => openvpn-2.5.9-1.mga9.src.rpm

Comment 1 Lewis Smith 2024-06-27 20:42:14 CEST 
For M9, it is a big version jump: 2.5.9 to 2.6.11.
Updates previously done by luigi, it is now necessary to assign this globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-07-03 14:14:46 CEST 
Ubuntu has issued an advisory on July 2:
https://ubuntu.com/security/notices/USN-6860-1

They consider that CVE-2024-28882 only affects openvpn since 2.6.

Summary: openvpn new security issues CVE-2024-5594 and CVE-2024-28882 => openvpn new security issue CVE-2024-5594
CVE: CVE-2024-5594, CVE-2024-28882 => CVE-2024-5594

Comment 3 Nicolas Salguero 2024-07-03 14:36:19 CEST 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Control channel: refuse control channel messages with nonprintable characters in them. (CVE-2024-5594)

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G2MRELY2ZT6N3PIJHLUCNPCY5GA5EDDU/
https://ubuntu.com/security/notices/USN-6860-1
========================

Updated packages in core/updates_testing:
========================
openvpn-2.5.9-1.1.mga9
lib(64)openvpn-devel-2.5.9-1.1.mga9

from SRPM:
openvpn-2.5.9-1.1.mga9.src.rpm

Status comment: Fixed upstream in 2.6.11 => (none)
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Version: Cauldron => 9

katnatek 2024-07-03 20:03:10 CEST

Keywords: (none) => advisory

Comment 4 Thomas Andrews 2024-07-04 03:14:35 CEST 
MGA9-64 Plasma. No installation issues.

I use openvpn from time to time with Network Manager and a Surfshark account. Surfshark does not support vpns for IPV6, so I have that disabled when using it. I had used a vpn a few days ago, so I know it worked before the update. 

After the update, I instructed NM to connect me with a vpn server in California. Checking several what-is-my-IP sites showed a different IP and my "location" to be somewhere in Los Angeles.

I closed Firefox, disconnected from the California server, and connected to Montreal, Quebec, Canada. The above sites now saw the new IP and "correctly" located me in Canada.

I am using it to write this comment, so I can confirm communication through the vpn.

This looks OK to me. Validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA9-64-OK
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-07-04 18:48:56 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0255.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED