Ubuntu has issued an advisory on May 4: https://ubuntu.com/security/notices/USN-4933-1 The issue is fixed upstream in 2.5.2. Mageia 7 and Mageia 8 are also affected.
Status comment: (none) => Fixed upstream in 2.5.2Whiteboard: (none) => MGA8TOO, MGA7TOO
Unsure who to give this to, so assigning it globally. CC'd Joseph (who has done all the most recent updates), and Bruno (registered maintainer).
CC: (none) => bruno, joequantAssignee: bugsquad => pkg-bugs
Fedora has issued an advisory for this on April 24: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/ The issue is also fixed in 2.4.11.
Suggested advisory: ======================== The updated packages fix a security vulnerability: OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. (CVE-2020-15078) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15078 https://ubuntu.com/security/notices/USN-4933-1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GJUXEYHUPREEBPX23VPEKMFXUPVO3PMU/ ======================== Updated packages in 7/core/updates_testing: ======================== openvpn-2.4.9-1.1.mga7 lib(64)openvpn-devel-2.4.9-1.1.mga7 from SRPM: openvpn-2.4.9-1.1.mga7.src.rpm Updated packages in 8/core/updates_testing: ======================== openvpn-2.5.0-2.1.mga8 lib(64)openvpn-devel-2.5.0-2.1.mga8 from SRPM: openvpn-2.5.0-2.1.mga8.src.rpm
CVE: (none) => CVE-2020-15078Assignee: pkg-bugs => qa-bugsVersion: Cauldron => 8Whiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Fixed upstream in 2.5.2 => (none)CC: (none) => nicolas.salgueroStatus: NEW => ASSIGNED
MGA-64 - xfce - phys hardware The following 4 packages are going to be installed: - lib64pkcs11-helper1-1.27.0-1.mga8.x86_64 - libobjc4-10.3.0-1.mga8.x86_64 - openvpn-2.5.0-2.1.mga8.x86_64 - perl-Authen-PAM-0.160.0-25.mga8.x86_64 --- rebooted went through MCC and did some configuration then modified netconfig. Seems to be functional from my perspective.
Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OKCC: (none) => brtians1
MGA7-64 The following 3 packages are going to be installed: - glibc-2.29-23.mga7.x86_64 - glibc-devel-2.29-23.mga7.x86_64 - openvpn-2.4.9-1.1.mga7.x86_64 Also installed dev package ------------ ran a couple of commands with openvpn # openvpn --show-ciphers The following ciphers and cipher modes are available for use with OpenVPN. Each cipher shown below may be use as a parameter to the --cipher option. The default key size is shown as well as whether or not it can be changed with the --keysize directive. Using a CBC or GCM mode is recommended. In static key mode only CBC mode is allowed. AES-128-CBC (128 bit key, 128 bit block) etc. etc. etc. it is responding.
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK
Validating. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => ouaurelien
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0302.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED