CVE-2020-15078

Published: 26 April 2021

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

Priority

Medium

Status

Package Release Status
openvpn
Launchpad, Ubuntu, Debian
Upstream
Released (2.5.2)
Ubuntu 21.04 (Hirsute Hippo)
Released (2.5.1-1ubuntu1.1)
Ubuntu 20.10 (Groovy Gorilla)
Released (2.4.9-3ubuntu1.1)
Ubuntu 20.04 LTS (Focal Fossa)
Released (2.4.7-1ubuntu2.20.04.2)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.4.4-2ubuntu1.5)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://github.com/OpenVPN/openvpn/commit/f7b3bf067ffce72e7de49a4174fd17a3a83f0573 (v2.5.2)
Upstream: https://github.com/OpenVPN/openvpn/commit/3d18e308c4e7e6f7ab7c2826c70d2d07b031c18a (v2.5.2)
Upstream: https://github.com/OpenVPN/openvpn/commit/3aca477a1b58714754fea3a26d0892fffc51db6b (v2.5.2)
Upstream: https://github.com/OpenVPN/openvpn/commit/0e5516a9d656ce86f7fb370c824344ea1760c255 (2.4.11)