Kururamisa kuburitswa kweOpenVPN 2.5.2 uye 2.4.11 kwakagadzirirwa, pasuru yekugadzira chaiyo yakavanzika network inobvumidza iwe kuronga encrypted chinongedzo pakati pemichina miviri yevatengi kana kupa yepakati VPN sevha yekushanda panguva imwe chete yevatengi vakati wandei. Iyo OpenVPN kodhi inogoverwa pasi peGPLv2 rezinesi, yakagadzirira-yakagadzirwa mabhanari mapakeji anogadzirwa kuDebian, Ubuntu, CentOS, RHEL uye Windows.
Izvo zvitsva zvinoburitswa zvinogadzirisa kusagadzikana (CVE-2020-15078) iyo inobvumira anorwisa ari kure kuti apfuure huchokwadi uye zvirambidzo zvekuwana kudonhedza VPN marongero. Dambudziko rinongoonekwa pamaseva akagadzirirwa kushandisa deferred_auth. Mune mamwe mamiriro ezvinhu, munhu anorwisa anogona kumanikidza sevha kudzosera PUSH_REPLY meseji ine data nezvesettings yeVPN isati yatumira iyo AUTH_FAILED meseji. Kana yasanganiswa nekushandiswa kwe --auth-gen-token parameter kana kushandiswa kwemushandisi kwechirongwa chavo chechokwadi chechiratidzo, kusagadzikana kunogona kuita kuti mumwe munhu awane mukana weVPN achishandisa account isingashande.
Pakati pekuchinja kusiri kwekuchengetedza, kune kuwedzera kwekuratidzwa kweruzivo nezve TLS ciphers yakabvumiranwa kuti ishandiswe nemutengi uye server. Kusanganisira ruzivo rwechokwadi nezverutsigiro rweTLS 1.3 uye EC zvitupa. Pamusoro pezvo, kusavapo kwefaira reCRL rine chitupa chekudzosa rondedzero panguva yeOpenVPN yekutanga iko zvino kubatwa sechikanganiso chinotungamira mukugumiswa.
Source: opennet.ru