src/plugins/auth-pam/auth-pam.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix libpam.so filename to /lib/libpam.so.0 in pam plugin

sample/sample-config-files/client.conf | 2 1 + 1 - 0 !
sample/sample-config-files/server.conf | 2 1 + 1 - 0 !
sample/sample-config-files/static-home.conf | 2 1 + 1 - 0 !
sample/sample-config-files/static-office.conf | 2 1 + 1 - 0 !
sample/sample-config-files/tls-home.conf | 2 1 + 1 - 0 !
sample/sample-config-files/tls-office.conf | 2 1 + 1 - 0 !
6 files changed, 6 insertions(+), 6 deletions(-)

 unpriviledged group in debian is called nogroup instead of nobody

src/openvpn/options.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 warn users about deprecated pkcs11 options

src/openvpn/lladdr.c | 2 1 + 1 - 0 !
src/openvpn/route.c | 15 8 + 7 - 0 !
src/openvpn/ssl.c | 2 1 + 1 - 0 !
src/openvpn/syshead.h | 2 1 + 1 - 0 !
src/openvpn/tun.c | 6 3 + 3 - 0 !
5 files changed, 14 insertions(+), 13 deletions(-)

 improve kfreebsd support

src/openvpn/options.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] change command help to match man page and implementation

src/openvpn/ssl.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch] don't assert out on receiving too-large control packets
 (CVE-2017-xxx)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 3c1b19e0 changed the maximum size of accepted control channel
packets.  This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).

To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Signed-off-by: Samuli Seppnen <samuli@openvpn.net>

CVE-2017-7478

  Security
  

src/openvpn/crypto.c | 20 8 + 12 - 0 !
src/openvpn/packet_id.c | 24 21 + 3 - 0 !
src/openvpn/packet_id.h | 35 12 + 23 - 0 !
src/openvpn/tls_crypt.c | 6 1 + 5 - 0 !
tests/unit_tests/openvpn/Makefile.am | 13 12 + 1 - 0 !
tests/unit_tests/openvpn/mock_msg.c | 15 6 + 9 - 0 !
tests/unit_tests/openvpn/test_packet_id.c | 168 168 + 0 - 0 !
7 files changed, 228 insertions(+), 53 deletions(-)

 [patch] cleanup: merge packet_id_alloc_outgoing() into
 packet_id_write()

The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem.  Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions.  This simplifies the API
and reduces the chance on mistakes in the future.

This patch adds unit tests to verify the behaviour of packet_id_write().
Verifying that we assert out correctly required the change to mock_msg.c.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>

src/openvpn/crypto.c | 25 16 + 9 - 0 !
src/openvpn/packet_id.c | 22 16 + 6 - 0 !
src/openvpn/packet_id.h | 1 1 + 0 - 0 !
src/openvpn/tls_crypt.c | 6 5 + 1 - 0 !
tests/unit_tests/openvpn/test_packet_id.c | 11 9 + 2 - 0 !
5 files changed, 47 insertions(+), 18 deletions(-)

 [patch 2/2] drop packets instead of asserting out if packet id rolls
 over
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys.  Until the
packet ID would roll over and we would ASSERT() out.

Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability.  An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)2^32 bytes, or approx. 196 GB).

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>

CVE-2017-7479

src/openvpn/ssl_verify.c | 51 31 + 20 - 0 !
1 file changed, 31 insertions(+), 20 deletions(-)

 [patch] auth-token: ensure tokens are always wiped on de-auth

If tls_deauthenticate() was called, it could in some scenarios leave the
authentication token for a session in memory.  This change just ensures
auth-tokens are always wiped as soon as a TLS session is considered
broken.

Signed-off-by: David Sommerseth <davids@openvpn.net>

src/openvpn/forward.c | 7 7 + 0 - 0 !
src/openvpn/init.c | 2 2 + 0 - 0 !
src/openvpn/openvpn.h | 3 2 + 1 - 0 !
src/openvpn/ssl.c | 9 1 + 8 - 0 !
src/openvpn/ssl.h | 8 8 + 0 - 0 !
5 files changed, 20 insertions(+), 9 deletions(-)

---

src/openvpn/mss.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

---

src/openvpn/ntlm.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

---

src/openvpn/ssl_verify_openssl.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

---

src/openvpn/ssl_verify_openssl.c | 9 4 + 5 - 0 !
1 file changed, 4 insertions(+), 5 deletions(-)

---

src/openvpn/push.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix push options digest update
Bug: https://community.openvpn.net/openvpn/ticket/812
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863110

Trac: #812

Signed-off-by: Selva Nair <selva.nair@gmail.com>

src/openvpn/push.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 fix ncp behaviour on tls reconnect.