[eduVPN-deploy] [2021-08-27] *IMPORTANT* Package Updates
François Kooman
fkooman at tuxed.net
Fri Aug 27 15:01:29 CEST 2021
Hi all,
Today we are announcing a security update to a vulnerability in the
vpn-user-portal package. We'll talk about the details next Monday and
also update the "CHANGES" file linked to below at that point.
* vpn-user-portal 2.3.14 [1]
* php-lc-common / php-LC-common 2.2.6 [2]
You MUST install these updates if your server is running on Debian 10,
Debian 11 or Fedora. If your server runs on CentOS 7 or Debian 9 you are
not vulnerable, but should still update. A potential attacker requires a
valid local account to access the VPN portal in order to be able to
perform the attack. It is NOT exploitable by unauthenticated users.
As said, full details will be provided on Monday. Please install the
updates as soon as possible.
If you are currently running the latest version of all components you
can get away with just updating vpn-user-portal (apt upgrade / dnf
upgrade) without using vpn-maint-update-system which allows you to
update without interrupting the service. If you do NOT run the latest
version you MUST use vpn-maint-update-system as usual.
Let us know if you have any questions!
Regards,
François
[1]
https://git.sr.ht/~fkooman/vpn-user-portal/tree/v2/item/CHANGES.md#2314-2021-08-26
[2]
https://git.sr.ht/~fkooman/vpn-lib-common/tree/v2/item/CHANGES.md#226-2021-08-27
More information about the eduVPN-deploy
mailing list