Package: openvpn / 2.4.7-1+deb10u1
Metadata
| Package | Version | Patches format |
|---|---|---|
| openvpn | 2.4.7-1+deb10u1 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| move_log_dir.patch | (download) |
sample/sample-config-files/server.conf |
8 4 + 4 - 0 ! |
set default logdir to /var/log/openvpn |
| auth pam_libpam_so_filename.patch | (download) |
src/plugins/auth-pam/auth-pam.c |
2 1 + 1 - 0 ! |
fix libpam.so filename to /lib/libpam.so.0 in pam plugin |
| debian_nogroup_for_sample_files.patch | (download) |
sample/sample-config-files/client.conf |
2 1 + 1 - 0 ! |
unpriviledged group in debian is called nogroup instead of nobody |
| openvpn pkcs11warn.patch | (download) |
src/openvpn/options.c |
14 14 + 0 - 0 ! |
warn users about deprecated pkcs11 options |
| kfreebsd_support.patch | (download) |
src/openvpn/lladdr.c |
2 1 + 1 - 0 ! |
improve kfreebsd support |
| match manpage and command help.patch | (download) |
src/openvpn/options.c |
2 1 + 1 - 0 ! |
[patch] change command help to match man page and implementation |
| spelling_errors.patch | (download) |
doc/openvpn.8 |
4 2 + 2 - 0 ! |
correct tspelling errors |
| systemd.patch | (download) |
distro/systemd/openvpn-client@.service.in |
2 1 + 1 - 0 ! |
remove syslog.target |
| fix pkcs11 helper hang.patch | (download) |
src/openvpn/pkcs11.c |
2 1 + 1 - 0 ! |
--- |
| CVE 2020 11810.patch | (download) |
src/openvpn/multi.c |
3 2 + 1 - 0 ! |
[patch] fix illegal client float (cve-2020-11810)
There is a time frame between allocating peer-id and initializing data
channel key (which is performed on receiving push request or on async
push-reply) in which the existing peer-id float checks do not work right.
If a "rogue" data channel packet arrives during that time frame from
another address and with same peer-id, this would cause client to float
to that new address. This is because:
- tls_pre_decrypt() sets packet length to zero if
data channel key has not been initialized, which leads to
- openvpn_decrypt() returns true if packet length is zero,
which leads to
- process_incoming_link_part1() returns true, which
calls multi_process_float(), which commits float
Note that problem doesn't happen when data channel key is initialized,
since in this case openvpn_decrypt() returns false.
The net effect of this behaviour is that the VPN session for the
"victim client" is broken. Since the "attacker client" does not have
suitable keys, it can not inject or steal VPN traffic from the other
session. The time window is small and it can not be used to attack
a specific client's session, unless some other way is found to make it
disconnect and reconnect first.
CVE-2020-11810 has been assigned to acknowledge this risk.
Fix illegal float by adding buffer length check ("is this packet still
considered valid") before calling multi_process_float().
Trac: #1272
CVE: 2020-11810
Signed-off-by: Lev Stipakov <lev@openvpn.net>
|
| CVE 2020 15078.patch | (download) |
src/openvpn/push.c |
8 7 + 1 - 0 ! |
[patch] ensure key state is authenticated before sending push reply This ensures that the key state is authenticated when sending a push reply. |
| increase tcp backlog.patch | (download) |
src/openvpn/socket.c |
2 1 + 1 - 0 ! |
[patch] increase listen() backlog queue to 32 For reasons historically unknown, OpenVPN sets the listen() backlog queue to "1", which signals the kernel "while there is one TCP connect waiting for OpenVPN to handle it, refuse all others" - which, on restarting a busy TCP server, will create connection issues. The exact "best" value of the backlog queue is subject of discussion, but for a server that is not extremely busy with many connections |