Updated openvpn packages fix security vulnerabilities
Publication date: 08 Jul 2026Modification date: 08 Jul 2026
Type: security
Affected Mageia releases : 10 , 9
CVE: CVE-2026-11771 , CVE-2026-12932 , CVE-2026-12996 , CVE-2026-13117 , CVE-2026-13122 , CVE-2026-13698
Description
The updated packages fix security vulnerabilities:
Possible 1-byte buffer overrun on NTLMv2 proxy responses.
(CVE-2026-11771)
Memory-leak in tls-crypt-v2 client key handling that could lead to
out-of-memory situations and subsequent server crashes. (CVE-2026-12932)
Use-after-free bug in ack_write_buf(), triggerable by a well-timed
sequence of control channel + authentication packets. (CVE-2026-12996)
Use-after-free bug in tls_wrap_reneg(), triggerable by suitable sequence
of dynamic tls-crypt control-channel packets. (CVE-2026-13117)
Server crash on reception of suitably malformed auth-token, if
--auth-gen-token external-auth is active. (CVE-2026-13122)
Another memory leak on reception of suitable tls-crypt-v2 packets that
could lead to an out of memory situation and server crash.
(CVE-2026-13698)
References
- https://bugs.mageia.org/show_bug.cgi?id=35840
- https://github.com/OpenVPN/openvpn/releases/tag/v2.6.21
- https://lists.debian.org/debian-security-announce/2026/msg00287.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K3GB3J43NMV2S6RIUKB3FSX5H6RA4KP7/
- https://www.cve.org/CVERecord?id=CVE-2026-11771
- https://www.cve.org/CVERecord?id=CVE-2026-12932
- https://www.cve.org/CVERecord?id=CVE-2026-12996
- https://www.cve.org/CVERecord?id=CVE-2026-13117
- https://www.cve.org/CVERecord?id=CVE-2026-13122
- https://www.cve.org/CVERecord?id=CVE-2026-13698
SRPMS
10/core
- openvpn-2.6.21-1.mga10
9/core
- openvpn-2.6.21-1.mga9