FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

openvpn -- two security fixes

Affected packages
openvpn < 2.6.11

Details

VuXML ID 142c538e-b18f-40a1-afac-c479effadd5c
Discovery 2024-05-16
Entry 2024-06-20

Gert Doering reports that OpenVPN 2.6.11 fixes two security bugs (three on Windows):

CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. Security scope: a malicious openvpn peer can send garbage to openvpn log, or cause high CPU load. (Reynir Björnsson)

CVE-2024-28882: only call schedule_exit() once (on a given peer). Security scope: an authenticated client can make the server "keep the session" even when the server has been told to disconnect this client. (Reynir Björnsson)

References

CVE Name CVE-2024-28882
CVE Name CVE-2024-5594
URL https://github.com/OpenVPN/openvpn/blob/v2.6.11/Changes.rst#security-fixes