ALAS2023-2025-967

Amazon Linux 2023 Security Advisory: ALAS2023-2025-967
Advisory Released Date: 2025-05-13
Advisory Updated Date: 2025-05-13

Severity: Medium

References: CVE-2025-2704
FAQs regarding Amazon Linux ALAS/CVE Severity

Issue Overview:

OpenVPN version 2.6.1 through 2.6.13 in server mode using TLS-crypt-v2 allows remote attackers to trigger a denial of service by corrupting and replaying network packets in the early handshake phase (CVE-2025-2704)

Affected Packages:

openvpn

Issue Correction:
Run dnf update openvpn --releasever 2023.7.20250512 to update your system.

New Packages:

aarch64:
    openvpn-devel-2.6.12-1.amzn2023.0.2.aarch64
    openvpn-debuginfo-2.6.12-1.amzn2023.0.2.aarch64
    openvpn-debugsource-2.6.12-1.amzn2023.0.2.aarch64
    openvpn-2.6.12-1.amzn2023.0.2.aarch64

src:
    openvpn-2.6.12-1.amzn2023.0.2.src

x86_64:
    openvpn-devel-2.6.12-1.amzn2023.0.2.x86_64
    openvpn-debuginfo-2.6.12-1.amzn2023.0.2.x86_64
    openvpn-debugsource-2.6.12-1.amzn2023.0.2.x86_64
    openvpn-2.6.12-1.amzn2023.0.2.x86_64

Additional References

Release Notes: Amazon Linux 2023 Release Notes

Red Hat: CVE-2025-2704

Mitre: CVE-2025-2704