Bugzilla – Bug 1185279
VUL-0: CVE-2020-15078: openvpn, openvpn-openssl1: Authentication bypass with deferred authentication
Last modified: 2023-02-13 15:15:36 UTC
rh#1952934 OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks. References: https://bugzilla.redhat.com/show_bug.cgi?id=1952934 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15078
https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
tracking as affected: - SUSE:SLE-11-SP1:Update/openvpn - SUSE:SLE-11-SP3:Update/openvpn - SUSE:SLE-12:Update/openvpn - SUSE:SLE-15:Update/openvpn - SUSE:SLE-11-SP3:Updateopenvpn-openssl1
just saw my typo.. (In reply to Robert Frohl from comment #2) > tracking as affected: > > - SUSE:SLE-11-SP3:Updateopenvpn-openssl1 - SUSE:SLE-11-SP3:Update/openvpn-openssl1
Not sure if openvpn versions before 2.1 (SLE-11-SP1 and SLE-11-SP3 have 2.0.9) are even vulnerable, because they did not support deferred authentication, so at least the "#ifdef ENABLE_DEF_AUTH" block in the patch won't ever get compiled in there. The rest applies and compiles, but I am not sure if it is needed at all.
SUSE-SU-2021:1576-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085803,1185279 CVE References: CVE-2018-7544,CVE-2020-15078 JIRA References: Sources used: SUSE Linux Enterprise Server 12-SP5 (src): openvpn-2.3.8-16.26.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:1577-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1085803,1169925,1185279 CVE References: CVE-2018-7544,CVE-2020-11810,CVE-2020-15078 JIRA References: Sources used: SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): openvpn-2.4.3-5.7.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): openvpn-2.4.3-5.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2021:14723-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1085803,1185279 CVE References: CVE-2018-7544,CVE-2020-15078 JIRA References: Sources used: SUSE Linux Enterprise Server 11-SECURITY (src): openvpn-openssl1-2.3.2-0.10.9.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0734-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1085803,1169925,1185279 CVE References: CVE-2018-7544,CVE-2020-11810,CVE-2020-15078 JIRA References: Sources used: openSUSE Leap 15.2 (src): openvpn-2.4.3-lp152.6.3.1
*** Bug 1186874 has been marked as a duplicate of this bug. ***
*** Bug 1186876 has been marked as a duplicate of this bug. ***
This is an autogenerated message for OBS integration: This bug (1185279) was mentioned in https://build.opensuse.org/request/show/898085 Factory / openvpn
opposite to initial assessment, these codestreams are not affected: - SUSE:SLE-11-SP1:Update/openvpn - SUSE:SLE-11-SP3:Update/openvpn
all released, closing