Changes between Version 2 and Version 3 of CVE-2020-15078


Ignore:
Timestamp:
04/21/21 12:28:00 (3 years ago)
Author:
Samuli Seppänen
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • CVE-2020-15078

    v2 v3  
    77Under very specific circumstances it is possible to allow tricking a server using delayed authentication (plugin or management) into returning a PUSH_REPLY before the AUTH_FAILED message, which can possibly be used to gather information about a VPN setup. In combination with "--auth-gen-token" or a user-specific token auth solution it can be possible to get access to a VPN with an otherwise-invalid account.
    88
    9 = Recommendations =
     9= Fixed OpenVPN versions =
    1010
    11 This vulnerabiliyt has been fixed in release/2.5 and release/2.4 branches. We recommend upgrading to OpenVPN 2.5.2 or 2.4.11.
     11This vulnerabiliyt has been fixed in
     12
     13* release/2.5 branch (commits f7b3bf06, 3d18e308c4 and 3aca477a1b5)
     14* release/2.4 branch (commit 0e5516a9)
     15
     16Releases with the fix are:
     17
     18* OpenVPN 2.5.2
     19* OpenVPN 2.4.11