[eduVPN-deploy] Regarding OpenVPN CVE
François Kooman
fkooman at tuxed.net
Wed Apr 21 22:28:56 CEST 2021
Hi all,
The OpenVPN project released new version of the OpenVPN client/server,
2.5.2 (and 2.4.11). The CVE only impacts the server.
For details: https://community.openvpn.net/openvpn/wiki/CVE-2020-15078
In eduVPN/Let's Connect! 2.x we do not use "--auth-gen-token", so
unauthorized access to the VPN won't be possible because of this
security issue. Furthermore, no "delayed authentication" is used so also
information leakage is not possible without a valid account.
As far as I can tell based on the CVE description there is no immediate
need to address this problem and we can wait for Debian, CentOS and
Fedora provided OpenVPN updates.
Let us know if you have any questions or remarks.
Regards,
François
More information about the eduVPN-deploy
mailing list