30186 – openvpn new security issue CVE-2022-0547

Bug 30186 - openvpn new security issue CVE-2022-0547

Summary: openvpn new security issue CVE-2022-0547

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-03-18 03:43 CET by David Walser
Modified:	2022-03-30 19:07 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	openvpn-2.5.0-2.1.mga8.src.rpm
CVE:	CVE-2022-0547
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-18 03:43:13 CET

Fedora has issued an advisory today (March 17):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SPPNX2WVJ47VJUXDLHQ2RAW77YRH6WIP/

The issue is fixed upstream in 2.5.6:
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst

Mageia 8 is also affected.

David Walser 2022-03-18 03:43:28 CET

Status comment: (none) => Fixed upstream in 2.5.6
Whiteboard: (none) => MGA8TOO

Comment 1 Lewis Smith 2022-03-18 08:35:03 CET

No obvious packager for this these days, so assigning it globally.
CC'ing Joseph who used to deal with it.

CC: (none) => joequant
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2022-03-18 11:40:49 CET

Suggested advisory:
========================

The updated packages a fix security vulnerability:

Potential authentication by-pass with multiple deferred authentication plug-ins. (CVE-2022-0547)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/SPPNX2WVJ47VJUXDLHQ2RAW77YRH6WIP/
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst
========================

Updated packages in core/updates_testing:
========================
lib(64)openvpn-devel-2.5.0-2.2.mga8
openvpn-2.5.0-2.2.mga8

from SRPM:
openvpn-2.5.0-2.2.mga8.src.rpm

CVE: (none) => CVE-2022-0547
Version: Cauldron => 8
CC: (none) => nicolas.salguero
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 2.5.6 => (none)
Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
Source RPM: openvpn-2.5.4-1.mga9.src.rpm => openvpn-2.5.0-2.1.mga8.src.rpm

Comment 3 Nicolas Salguero 2022-03-29 10:15:35 CEST

Hi,

I have used that version, since ten days, when I work from home, without any problem.

Best regards,

Nico.

Comment 4 Thomas Andrews 2022-03-30 01:24:21 CEST

I've been toying with the idea of using a vpn for a while, but haven't taken the plunge yet, so I can't really test this. But, I can add an installation check from another party, just to be overly cautious. 

I updated openvpn in a VirtualBox guest, with no installation issues. Using Comment 3 to verify that it works, I'm going to OK it and validate. Advisory in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-03-30 01:59:02 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 5 Mageia Robot 2022-03-30 19:07:52 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0123.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.