Bug 29007 - openvpn new security issue CVE-2020-15078
Summary: openvpn new security issue CVE-2020-15078
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA8-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-29 00:57 CEST by David Walser
Modified: 2021-06-16 20:15 CEST (History)
4 users (show)

See Also:
Source RPM: openvpn-2.5.0-2.mga8.src.rpm
CVE: CVE-2020-15078
Status comment:


Attachments

Description David Walser 2021-05-29 00:57:40 CEST
Ubuntu has issued an advisory on May 4:
https://ubuntu.com/security/notices/USN-4933-1

The issue is fixed upstream in 2.5.2.

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-05-29 00:57:52 CEST

Status comment: (none) => Fixed upstream in 2.5.2
Whiteboard: (none) => MGA8TOO, MGA7TOO

Comment 1 Lewis Smith 2021-05-29 21:39:05 CEST
Unsure who to give this to, so assigning it globally. CC'd Joseph (who has done all the most recent updates), and Bruno (registered maintainer).

CC: (none) => bruno, joequant
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2021-05-29 23:15:16 CEST
Fedora has issued an advisory for this on April 24:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/

The issue is also fixed in 2.4.11.
Comment 3 Nicolas Salguero 2021-06-02 13:41:27 CEST
Suggested advisory:
========================

The updated packages fix a security vulnerability:

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. (CVE-2020-15078)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15078
https://ubuntu.com/security/notices/USN-4933-1
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/
========================

Updated packages in 7/core/updates_testing:
========================
openvpn-2.4.9-1.1.mga7
lib(64)openvpn-devel-2.4.9-1.1.mga7

from SRPM:
openvpn-2.4.9-1.1.mga7.src.rpm

Updated packages in 8/core/updates_testing:
========================
openvpn-2.5.0-2.1.mga8
lib(64)openvpn-devel-2.5.0-2.1.mga8

from SRPM:
openvpn-2.5.0-2.1.mga8.src.rpm

Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
CC: (none) => nicolas.salguero
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 2.5.2 => (none)
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2020-15078
Version: Cauldron => 8

Comment 4 Brian Rockwell 2021-06-16 20:15:15 CEST
MGA-64 - xfce - phys hardware

The following 4 packages are going to be installed:

- lib64pkcs11-helper1-1.27.0-1.mga8.x86_64
- libobjc4-10.3.0-1.mga8.x86_64
- openvpn-2.5.0-2.1.mga8.x86_64
- perl-Authen-PAM-0.160.0-25.mga8.x86_64

--- rebooted

went through MCC and did some configuration then modified netconfig.

Seems to be functional from my perspective.

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK
CC: (none) => brtians1


Note You need to log in before you can comment on or make changes to this bug.