Fedora has issued an advisory today (April 27): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/ The issue is fixed upstream in 2.4.9. Mageia 7 is also affected.
Status comment: (none) => Fixed upstream in 2.4.9Whiteboard: (none) => MGA7TOO
Updated packages uploaded for Mageia 7 and Cauldron. Advisory: ======================== Updated openvpn packages fix security vulnerability: An issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can inject a data channel v2 (P_DATA_V2) packet using a victim's peer-id. Normally such packets are dropped, but if this packet arrives before the data channel crypto parameters have been initialized, the victim's connection will be dropped. This requires careful timing due to the small time window (usually within a few seconds) between the victim client connection starting and the server PUSH_REPLY response back to the client. This attack will only work if Negotiable Cipher Parameters (NCP) is in use (CVE-2020-11810). The openvpn package has been updated to version 2.4.9, fixing the issue and other bugs. See the upstream release notes for details. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11810 https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/ ======================== Updated packages in core/updates_testing: ======================== openvpn-2.4.9-1.mga7 libopenvpn-devel-2.4.9-1.mga7 from openvpn-2.4.9-1.mga7.src.rpm
Version: Cauldron => 7Whiteboard: MGA7TOO => (none)Assignee: bugsquad => qa-bugsStatus comment: Fixed upstream in 2.4.9 => (none)
The following 4 packages are going to be installed: - libobjc4-8.4.0-1.mga7.i586 - libopenvpn-devel-2.4.9-1.mga7.i586 - openvpn-2.4.9-1.mga7.i586 - perl-Authen-PAM-0.160.0-22.mga7.i586 # openvpn --genkey --secret key # openvpn --test-crypto --secret key blah blah blah ... Fri May 1 09:54:31 2020 TESTING ENCRYPT/DECRYPT of packet length=1500 Fri May 1 09:54:31 2020 OpenVPN crypto self-test mode SUCCEEDED. vi /usr/share/openvpn/sample-config-files/loopback-server dh /usr/share/openvpn/sample-keys/dh2048.pem ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/server.key cert /usr/share/openvpn/sample-keys/server.crt tls-auth /usr/share/openvpn/sample-keys/ta.key 0 vi /usr/share/openvpn/sample-config-files/loopback-client Modify the following rows: ca /usr/share/openvpn/sample-keys/ca.crt key /usr/share/openvpn/sample-keys/client.key cert /usr/share/openvpn/sample-keys/client.crt tls-auth /usr/share/openvpn/sample-keys/ta.key 1 # NOW PROTECT THE FILES # cd /usr/share/openvpn/sample-config-files # chmod go-r loop* # cd /usr/share/openvpn/sample-keys # chmod go-r ta.key # chmod go-r client.key Then on one terminal I run the server: # openvpn --config /usr/share/openvpn/sample-config-files/loopback-server on the other terminal I run # openvpn --config /usr/share/openvpn/sample-config-files/loopback-client When the client starts I see this on the server Fri May 1 14:00:36 2020 TLS: Initial packet from [AF_INET6]::1:16001, sid=20e7d1e0 6ad892ed On the client I see ri May 1 14:00:41 2020 WARNING: --ping should normally be used with --ping-restart or --ping-exit Fri May 1 14:00:41 2020 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 1 14:00:41 2020 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Fri May 1 14:00:41 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]127.0.0.1:16000 Fri May 1 14:00:41 2020 Socket Buffers: R=[180224->180224] S=[180224->180224] Fri May 1 14:00:41 2020 UDP link local (bound): [AF_INET]127.0.0.1:16001 Fri May 1 14:00:41 2020 UDP link remote: [AF_INET]127.0.0.1:16000 They seem to be goign through a series of connections Seems to work.
CC: (none) => brtians1Whiteboard: (none) => MGA7-32-OK
I've considered setting up a VPN from time to time, but every time I look into it I get hopelessly lost. That said, I can certainly check the 64-bit version of this update for a clean install, which I did, Running "openvpn" from the command line gets me a very long and detailed list of options, so it would appear that part works, anyway. Giving it the 64-bit OK based on that, and assuming Brian's 32-bit test will suffice for testing function. Validating. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsWhiteboard: MGA7-32-OK => MGA7-32-OK MGA7-64-OKKeywords: (none) => validated_update
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0195.html
Status: NEW => RESOLVEDResolution: (none) => FIXED