Amazon Linux 2023 Security Advisory: ALAS2023-2026-1644
Advisory Released Date: 2026-05-14
Advisory Updated Date: 2026-05-14
Severity:
Medium
Issue Overview:
According to upstream advisory (https://community.openvpn.net/Security%20Announcements/CVE-2026-35058):
OpenVPN server crash via ASSERT triggered by malformed tls-crypt-v2 packet; attacker with a valid tls-crypt-v2 client key can send a crafted control channel packet to crash the server (DoS). Fixed in 2.6.20 and 2.7.2. (CVE-2026-35058)
In a race condition an old TLS session could still try to send a packet but also get replaced by a new session. In this case, the buffer of the new session is still referenced. Add the check_session_buf_not_used function to mitigate this problem. (CVE-2026-40215)
Affected Packages:
openvpn
Issue Correction:
Run dnf update openvpn --releasever 2023.11.20260511 or dnf update --advisory ALAS2023-2026-1644 --releasever 2023.11.20260511 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
openvpn-debugsource-2.6.12-1.amzn2023.0.4.aarch64
openvpn-debuginfo-2.6.12-1.amzn2023.0.4.aarch64
openvpn-devel-2.6.12-1.amzn2023.0.4.aarch64
openvpn-2.6.12-1.amzn2023.0.4.aarch64
src:
openvpn-2.6.12-1.amzn2023.0.4.src
x86_64:
openvpn-debugsource-2.6.12-1.amzn2023.0.4.x86_64
openvpn-devel-2.6.12-1.amzn2023.0.4.x86_64
openvpn-debuginfo-2.6.12-1.amzn2023.0.4.x86_64
openvpn-2.6.12-1.amzn2023.0.4.x86_64