{
  "document": {
    "aggregate_severity": {
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "TuxCare License Agreement",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.",
        "title": "Terms of Use"
      },
      {
        "category": "details",
        "text": "* SECURITY UPDATE: Improper PUSH_REPLY sanitization allows attackers\n      to inject arbitrary data into third-party executables\n      - debian/patches/CVE-2024-5594.patch: Properly handle null bytes\n        and invalid characters in control\n      - CVE-2024-5594",
        "title": "Details"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://tuxcare.com/contact/",
      "name": "TuxCare",
      "namespace": "https://tuxcare.com/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/advisories/2025/clsa-2025_1744727573.json"
      },
      {
        "category": "self",
        "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1744727573",
        "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1744727573"
      }
    ],
    "tracking": {
      "current_release_date": "2025-05-19T15:21:20Z",
      "generator": {
        "date": "2025-05-19T15:21:20Z",
        "engine": {
          "name": "pyCSAF"
        }
      },
      "id": "CLSA-2025:1744727573",
      "initial_release_date": "2025-04-15T14:32:55Z",
      "revision_history": [
        {
          "date": "2025-04-15T14:32:55Z",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2025-05-19T15:21:20Z",
          "number": "2",
          "summary": "Official Publication"
        }
      ],
      "status": "final",
      "version": "2"
    },
    "title": "Fix CVE(s): CVE-2024-5594"
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Ubuntu 16.04",
                "product": {
                  "name": "Ubuntu 16.04",
                  "product_id": "Ubuntu-16",
                  "product_identification_helper": {
                    "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Ubuntu"
          }
        ],
        "category": "vendor",
        "name": "Canonical Ltd."
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64",
                "product": {
                  "name": "openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64",
                  "product_id": "openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64",
                  "product_identification_helper": {
                    "purl": "pkg:deb/cloudlinux/openvpn@2.3.10-1ubuntu2.2%2Btuxcare.els3?arch=amd64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "amd64"
          }
        ],
        "category": "vendor",
        "name": "CloudLinux"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64 as a component of Ubuntu 16.04",
          "product_id": "Ubuntu-16:openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64"
        },
        "product_reference": "openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64",
        "relates_to_product_reference": "Ubuntu-16"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-5594",
      "cwe": {
        "id": "CWE-1287",
        "name": "Improper Validation of Specified Type of Input"
      },
      "notes": [
        {
          "category": "description",
          "text": "OpenVPN before 2.6.11 does not santize PUSH_REPLY messages properly which an attacker controlling the server can use to inject unexpected arbitrary data ending up in client logs.",
          "title": "Vulnerability description"
        }
      ],
      "product_status": {
        "fixed": [
          "Ubuntu-16:openvpn-0:2.3.10-1ubuntu2.2+tuxcare.els3.amd64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://cve.tuxcare.com/els/cve/CVE-2024-5594"
        },
        {
          "category": "external",
          "summary": "https://community.openvpn.net/openvpn/wiki/CVE-2024-5594",
          "url": "https://community.openvpn.net/openvpn/wiki/CVE-2024-5594"
        },
        {
          "category": "external",
          "summary": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html",
          "url": "https://www.mail-archive.com/openvpn-users@lists.sourceforge.net/msg07634.html"
        }
      ],
      "release_date": "2025-01-06T14:15:00",
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ]
    }
  ]
}