Package: openvpn / 2.4.0-6+deb9u3

Metadata

Package Version Patches format
openvpn 2.4.0-6+deb9u3 3.0 (quilt)

Patch series

view the series file
Patch File delta Description
auth pam_libpam_so_filename.patch | (download)

src/plugins/auth-pam/auth-pam.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix libpam.so filename to /lib/libpam.so.0 in pam plugin
debian_nogroup_for_sample_files.patch | (download)

sample/sample-config-files/client.conf | 2 1 + 1 - 0 !
sample/sample-config-files/server.conf | 2 1 + 1 - 0 !
sample/sample-config-files/static-home.conf | 2 1 + 1 - 0 !
sample/sample-config-files/static-office.conf | 2 1 + 1 - 0 !
sample/sample-config-files/tls-home.conf | 2 1 + 1 - 0 !
sample/sample-config-files/tls-office.conf | 2 1 + 1 - 0 !
6 files changed, 6 insertions(+), 6 deletions(-)

 unpriviledged group in debian is called nogroup instead of nobody
openvpn pkcs11warn.patch | (download)

src/openvpn/options.c | 14 14 + 0 - 0 !
1 file changed, 14 insertions(+)

 warn users about deprecated pkcs11 options
kfreebsd_support.patch | (download)

src/openvpn/lladdr.c | 2 1 + 1 - 0 !
src/openvpn/route.c | 15 8 + 7 - 0 !
src/openvpn/ssl.c | 2 1 + 1 - 0 !
src/openvpn/syshead.h | 2 1 + 1 - 0 !
src/openvpn/tun.c | 6 3 + 3 - 0 !
5 files changed, 14 insertions(+), 13 deletions(-)

 improve kfreebsd support
match manpage and command help.patch | (download)

src/openvpn/options.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] change command help to match man page and implementation


CVE 2017 7478.patch | (download)

src/openvpn/ssl.c | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 [patch] don't assert out on receiving too-large control packets
 (CVE-2017-xxx)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 3c1b19e0 changed the maximum size of accepted control channel
packets.  This was needed for crypto negotiation (which is needed for a
nice transition to a new default cipher), but exposed a DoS
vulnerability.  The vulnerability was found during the OpenVPN 2.4 code
audit by Quarkslab (commisioned by OSTIF).

To fix the issue, we should not ASSERT() on external input (in this case
the received packet size), but instead gracefully error out and drop the
invalid packet.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Signed-off-by: Samuli Seppnen <samuli@openvpn.net>

CVE-2017-7478

  Security
  
CVE 2017 7479 prereq.patch | (download)

src/openvpn/crypto.c | 20 8 + 12 - 0 !
src/openvpn/packet_id.c | 24 21 + 3 - 0 !
src/openvpn/packet_id.h | 35 12 + 23 - 0 !
src/openvpn/tls_crypt.c | 6 1 + 5 - 0 !
tests/unit_tests/openvpn/Makefile.am | 13 12 + 1 - 0 !
tests/unit_tests/openvpn/mock_msg.c | 15 6 + 9 - 0 !
tests/unit_tests/openvpn/test_packet_id.c | 168 168 + 0 - 0 !
7 files changed, 228 insertions(+), 53 deletions(-)

 [patch] cleanup: merge packet_id_alloc_outgoing() into
 packet_id_write()

The functions packet_id_alloc_outgoing() and packet_id_write() were
always called in tandem.  Instead of forcing the caller to allocate a
packet_id_net to do so, merge the two functions.  This simplifies the API
and reduces the chance on mistakes in the future.

This patch adds unit tests to verify the behaviour of packet_id_write().
Verifying that we assert out correctly required the change to mock_msg.c.

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
CVE 2017 7479.patch | (download)

src/openvpn/crypto.c | 25 16 + 9 - 0 !
src/openvpn/packet_id.c | 22 16 + 6 - 0 !
src/openvpn/packet_id.h | 1 1 + 0 - 0 !
src/openvpn/tls_crypt.c | 6 5 + 1 - 0 !
tests/unit_tests/openvpn/test_packet_id.c | 11 9 + 2 - 0 !
5 files changed, 47 insertions(+), 18 deletions(-)

 [patch 2/2] drop packets instead of asserting out if packet id rolls
 over
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, if a mode was selected where packet ids are not allowed to roll
over, but renegotiation does not succeed for some reason (e.g. no password
entered in time, certificate expired or a malicious peer that refuses the
renegotiaion on purpose) we would continue to use the old keys.  Until the
packet ID would roll over and we would ASSERT() out.

Given that this can be triggered on purpose by an authenticated peer, this
is a fix for an authenticated remote DoS vulnerability.  An attack is
rather inefficient though; a peer would need to get us to send 2^32
packets (min-size packet is IP+UDP+OPCODE+PID+TAG (no payload), results in
(20+8+1+4+16)2^32 bytes, or approx. 196 GB).

Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>

CVE-2017-7479


wipe_tokens_on_de auth.patch | (download)

src/openvpn/ssl_verify.c | 51 31 + 20 - 0 !
1 file changed, 31 insertions(+), 20 deletions(-)

 [patch] auth-token: ensure tokens are always wiped on de-auth

If tls_deauthenticate() was called, it could in some scenarios leave the
authentication token for a session in memory.  This change just ensures
auth-tokens are always wiped as soon as a TLS session is considered
broken.

Signed-off-by: David Sommerseth <davids@openvpn.net>

upstream issue 879.patch | (download)

src/openvpn/forward.c | 7 7 + 0 - 0 !
src/openvpn/init.c | 2 2 + 0 - 0 !
src/openvpn/openvpn.h | 3 2 + 1 - 0 !
src/openvpn/ssl.c | 9 1 + 8 - 0 !
src/openvpn/ssl.h | 8 8 + 0 - 0 !
5 files changed, 20 insertions(+), 9 deletions(-)

---
CVE 2017 7508.patch | (download)

src/openvpn/mss.c | 11 9 + 2 - 0 !
1 file changed, 9 insertions(+), 2 deletions(-)

---
CVE 2017 7520.patch | (download)

src/openvpn/ntlm.c | 10 8 + 2 - 0 !
1 file changed, 8 insertions(+), 2 deletions(-)

---
CVE 2017 7521.patch | (download)

src/openvpn/ssl_verify_openssl.c | 5 4 + 1 - 0 !
1 file changed, 4 insertions(+), 1 deletion(-)

---
CVE 2017 7521bis.patch | (download)

src/openvpn/ssl_verify_openssl.c | 9 4 + 5 - 0 !
1 file changed, 4 insertions(+), 5 deletions(-)

---
812 fix push options digest update.patch | (download)

src/openvpn/push.c | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 [patch] fix push options digest update
Bug: https://community.openvpn.net/openvpn/ticket/812
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863110

Trac: #812

Signed-off-by: Selva Nair <selva.nair@gmail.com>
887 fix ncp on reconnect.patch | (download)

src/openvpn/push.c | 12 7 + 5 - 0 !
1 file changed, 7 insertions(+), 5 deletions(-)

 fix ncp behaviour on tls reconnect.