CVE-2022-0547

Name	CVE-2022-0547
Description	OpenVPN 2.1 until v2.4.12 and v2.5.6 may enable authentication bypass in external authentication plug-ins when more than one of them makes use of deferred authentication replies, which allows an external user to be granted access with only partially correct credentials.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-2992-1
Debian Bugs	1008015

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
openvpn (PTS)	buster	2.4.7-1+deb10u1	vulnerable
	bullseye	2.5.1-3	vulnerable
	bookworm, bookworm (security)	2.6.3-1+deb12u2	fixed
	sid, trixie	2.6.7-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
openvpn	source	stretch	2.4.0-6+deb9u4		DLA-2992-1
openvpn	source	(unstable)	2.5.6-1			1008015

Notes

[bullseye] - openvpn <no-dsa> (Minor issue)
[buster] - openvpn <no-dsa> (Minor issue)
https://community.openvpn.net/openvpn/wiki/CVE-2022-0547
https://github.com/OpenVPN/openvpn/commit/58ec3bb4aac77131118dbbc39a65181e7847adee (v2.4.12)
https://github.com/OpenVPN/openvpn/commit/af3e382649d96ae77cc5e42be8270f355e5cfec5 (v2.5.6)