{"id":"MGASA-2020-0195","summary":"Updated openvpn packages fix security vulnerability","details":"Updated openvpn packages fix security vulnerability:\n\nAn issue was discovered in OpenVPN 2.4.x before 2.4.9. An attacker can\ninject a data channel v2 (P_DATA_V2) packet using a victim's peer-id.\nNormally such packets are dropped, but if this packet arrives before the\ndata channel crypto parameters have been initialized, the victim's\nconnection will be dropped. This requires careful timing due to the small\ntime window (usually within a few seconds) between the victim client\nconnection starting and the server PUSH_REPLY response back to the client.\nThis attack will only work if Negotiable Cipher Parameters (NCP) is in\nuse (CVE-2020-11810).\n\nThe openvpn package has been updated to version 2.4.9, fixing the issue\nand other bugs. See the upstream release notes for details.\n","modified":"2026-02-02T15:51:54.778034Z","published":"2020-05-05T12:20:37Z","related":["CVE-2020-11810"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0195.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26558"},{"type":"REPORT","url":"https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn24"},{"type":"REPORT","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/F6UXS4WUVAGMXRRBWQNUHMT5JZYYW4KW/"}],"affected":[{"package":{"name":"openvpn","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/openvpn?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.9-1.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0195.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}