A recent disclosure has revealed vulnerabilities (CVE-2024-5594) in the openvpn package, used for creating virtual private networks. These vulnerabilities can potentially allow for arbitrary execution of data or plugins in the system, posing a serious security risk. The vulnerability, as identified, stems from the lack of zero bytes and incorrect symbols when processing control reports like push_reply.
The openvpn team has addressed these issues in versions 2.5.11 and 2.6.11, which were released in June 2024. Initially considered a minor problem leading to the input of garbage data or increased CPU load, the severity of the vulnerability was later upgraded to critical (danger level 9.1 out of 10) as indicated in the release notes.
/Reports, release notes, official announcements.