Two security updates are available for OpenVPN, a virtual private network application. The first update (ELA-1519-1) affects Debian GNU/Linux 9 (Stretch) Extended LTS and fixes a vulnerability (CVE-2024-5594) that could result in data injection. The second update (ELA-1518-1) affects Debian GNU/Linux 10 (Buster) Extended LTS and also fixes the CVE-2024-5594 issue, as well as another vulnerability (CVE-2022-0547) that allows authentication bypass. Both updates are available to prevent attackers from injecting unexpected arbitrary data into third-party executables or plug-ins using PUSH_REPLY messages.

ELA-1519-1 openvpn security update
ELA-1518-1 openvpn security update

ELA-1519-1 openvpn security update

Package : openvpn
Version : 2.4.0-6+deb9u5 (stretch)

Related CVEs :
CVE-2024-5594

A vulnerability was discovered in openvpn, a virtual private
network application which could result in data injection.

CVE-2024-5594
OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1519-1 openvpn security update

ELA-1518-1 openvpn security update

Package : openvpn
Version : 2.4.7-1+deb10u2 (buster)

Related CVEs :
CVE-2022-0547
CVE-2024-5594

Two vulnerabilities were discovered in openvpn, a virtual private
network application which could result in authentication bypass or
data injection.

CVE-2022-0547
OpenVPN may enable authentication bypass in external
authentication plug-ins when more than one of them makes use of
deferred authentication replies, which allows an external user to
be granted access with only partially correct credentials.

CVE-2024-5594
OpenVPN does not sanitize PUSH_REPLY messages properly which
attackers can use to inject unexpected arbitrary data into
third-party executables or plug-ins.

ELA-1518-1 openvpn security update