OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
Created openvpn tracking bugs for this issue: Affects: epel-all [bug 2294453] Affects: fedora-all [bug 2294452]
Why is this being reported again? From the pkgs.fedoraproject.org/rpms/openvpn git log: -------------------------------------------------------------- $ git log --grep 2022-0547 epel9 commit 9c2a62d8fb7430969e280b87f0399df9e74a8255 Author: David Sommerseth <dazo> Date: Wed Mar 16 14:14:45 2022 +0100 Update to upstream OpenVPN 2.5.6 Fixes CVE-2022-0547 Signed-off-by: David Sommerseth <dazo> $ git log --grep 2022-0547 epel8 commit b30ce2819617af912fb777398a6b08c197d87c6f Author: David Sommerseth <dazo> Date: Thu Mar 17 19:43:29 2022 +0100 Update to upstream OpenVPN 2.4.12 Fixes CVE-2022-0547 Signed-off-by: David Sommerseth <dazo> $ git log --grep 2022-0547 rawhide commit cee438664951caf6a617bac1759607c2a5217a3c Author: David Sommerseth <dazo> Date: Wed Mar 16 14:14:45 2022 +0100 Update to upstream OpenVPN 2.5.6 Fixes CVE-2022-0547 Signed-off-by: David Sommerseth <dazo> $ git log --grep 2022-0547 f40 commit cee438664951caf6a617bac1759607c2a5217a3c Author: David Sommerseth <dazo> Date: Wed Mar 16 14:14:45 2022 +0100 Update to upstream OpenVPN 2.5.6 Fixes CVE-2022-0547 Signed-off-by: David Sommerseth <dazo> $ git log --grep 2022-0547 f39 commit cee438664951caf6a617bac1759607c2a5217a3c Author: David Sommerseth <dazo> Date: Wed Mar 16 14:14:45 2022 +0100 Update to upstream OpenVPN 2.5.6 Fixes CVE-2022-0547 Signed-off-by: David Sommerseth <dazo> --------------------------------------------------------------
Further details here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0547