git: ba380acff776 - main - security/vuxml: add OpenVPN < 2.5.6 deferred auth plugin vuln

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Matthias Andree <mandree_at_FreeBSD.org>
Date: Thu, 17 Mar 2022 22:28:13 UTC

The branch main has been updated by mandree:

URL: https://cgit.FreeBSD.org/ports/commit/?id=ba380acff776bd1b84811b70d7b3ca6f0a9abfd2

commit ba380acff776bd1b84811b70d7b3ca6f0a9abfd2
Author:     Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2022-03-17 22:24:35 +0000
Commit:     Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2022-03-17 22:27:50 +0000

    security/vuxml: add OpenVPN < 2.5.6 deferred auth plugin vuln
    
    Security:       CVE-2022-0547
---
 security/vuxml/vuln-2022.xml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/security/vuxml/vuln-2022.xml b/security/vuxml/vuln-2022.xml
index a7d0029d21c0..d6339c35bb9a 100644
--- a/security/vuxml/vuln-2022.xml
+++ b/security/vuxml/vuln-2022.xml
@@ -1,3 +1,34 @@
+  <vuln vid="45a72180-a640-11ec-a08b-85298243e224">
+    <topic>openvpn -- Potential authentication by-pass with multiple deferred authentication plug-ins</topic>
+    <affects>
+      <package>
+	<name>openvpn</name>
+	<range><lt>2.5.6</lt></range>
+      </package>
+      <package>
+	<name>openvpn-mbedtls</name>
+	<range><lt>2.5.6</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>David Sommerseth reports:</p>
+	<blockquote cite="https://community.openvpn.net/openvpn/wiki/CVE-2022-0547">
+	  <p>OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.  This issue is resolved in OpenVPN 2.4.12 and v2.5.6.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2022-0547</cvename>
+      <url>https://community.openvpn.net/openvpn/wiki/CVE-2022-0547</url>
+      <url>https://github.com/OpenVPN/openvpn/blob/release/2.5/Changes.rst#overview-of-changes-in-256</url>
+    </references>
+    <dates>
+      <discovery>2022-03-10</discovery>
+      <entry>2022-03-17</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="5df757ef-a564-11ec-85fa-a0369f7f7be0">
     <topic>wordpress -- multiple issues</topic>
     <affects>