CVE-2006-2229

NameCVE-2006-2229
DescriptionOpenVPN 2.0.7 and earlier, when configured to use the --management option with an IP that is not 127.0.0.1, uses a cleartext password for TCP sessions to the management interface, which might allow remote attackers to view sensitive information or cause a denial of service.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
openvpn (PTS)jessie (security), jessie2.3.4-5+deb8u2vulnerable
stretch2.4.0-6+deb9u2vulnerable
stretch (security)2.4.0-6+deb9u1vulnerable
buster, sid2.4.5-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
openvpnsource(unstable)(unfixed)unimportant

Notes

One needs to explicitly set the IP to something else than 127.0.0.1
in order to be vulnerable. The man page recommends not to do it.

Search for package or bug name: Reporting problems