openvpn-2.5.4-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11692-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z openvpn-2.5.4-2.1 on GA media These are all security issues fixed in the openvpn-2.5.4-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11692 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2018-7544/ SUSE CVE CVE-2018-7544 page openSUSE Tumbleweed openvpn-2.5.4-2.1 openvpn-auth-pam-plugin-2.5.4-2.1 openvpn-devel-2.5.4-2.1 openvpn-down-root-plugin-2.5.4-2.1 openvpn-2.5.4-2.1 as a component of openSUSE Tumbleweed openvpn-auth-pam-plugin-2.5.4-2.1 as a component of openSUSE Tumbleweed openvpn-devel-2.5.4-2.1 as a component of openSUSE Tumbleweed openvpn-down-root-plugin-2.5.4-2.1 as a component of openSUSE Tumbleweed ** DISPUTED ** A cross-protocol scripting issue was discovered in the management interface in OpenVPN through 2.4.5. When this interface is enabled over TCP without a password, and when no other clients are connected to this interface, attackers can execute arbitrary management commands, obtain sensitive information, or cause a denial of service (SIGTERM) by triggering XMLHttpRequest actions in a web browser. This is demonstrated by a multipart/form-data POST to http://localhost:23000 with a "signal SIGTERM" command in a TEXTAREA element. NOTE: The vendor disputes that this is a vulnerability. They state that this is the result of improper configuration of the OpenVPN instance rather than an intrinsic vulnerability, and now more explicitly warn against such configurations in both the management-interface documentation, and with a runtime warning. CVE-2018-7544 openSUSE Tumbleweed:openvpn-2.5.4-2.1 openSUSE Tumbleweed:openvpn-auth-pam-plugin-2.5.4-2.1 openSUSE Tumbleweed:openvpn-devel-2.5.4-2.1 openSUSE Tumbleweed:openvpn-down-root-plugin-2.5.4-2.1 low 6.4 AV:N/AC:L/Au:N/C:P/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2018-7544.html CVE-2018-7544 https://bugzilla.suse.com/1085803 SUSE Bug 1085803