Package: openvpn / 2.6.3-1+deb12u3
Metadata
| Package | Version | Patches format |
|---|---|---|
| openvpn | 2.6.3-1+deb12u3 | 3.0 (quilt) |
Patch series
view the series file| Patch | File delta | Description |
|---|---|---|
| move_log_dir.patch | (download) |
sample/sample-config-files/server.conf |
8 4 + 4 - 0 ! |
set default logdir to /var/log/openvpn |
| auth pam_libpam_so_filename.patch | (download) |
src/plugins/auth-pam/auth-pam.c |
2 1 + 1 - 0 ! |
fix libpam.so filename to /lib/libpam.so.0 in pam plugin |
| openvpn pkcs11warn.patch | (download) |
src/openvpn/options.c |
14 14 + 0 - 0 ! |
warn users about deprecated pkcs11 options |
| systemd.patch | (download) |
distro/systemd/openvpn-client@.service.in |
2 1 + 1 - 0 ! |
remove syslog.target |
| fix dangling pointer in pkcs11.patch | (download) |
src/openvpn/pkcs11_openssl.c |
2 1 + 1 - 0 ! |
[patch] bugfix: dangling pointer passed to pkcs11-helper Github: Fixes OpenVPN/openvpn#323 Signed-off-by: Selva Nair <selva.nair@gmail.com> |
| fix memleak in dco_get_peer_stats_multi.patch | (download) |
src/openvpn/dco_linux.c |
5 4 + 1 - 0 ! |
[patch] dco: fix memory leak in dco_get_peer_stats_multi for linux Leaks a small amount of memory every 15s. Signed-off-by: Frank Lichtenheld <frank@lichtenheld.com> |
| CVE 2023 46849.patch | (download) |
src/openvpn/forward.c |
9 0 + 9 - 0 ! |
[patch] remove saving initial frame code This code was necessary before the frame/buffer refactoring as we always did relative adjustment to the frame. This also fixes also that previously initial_frame was initialised too early before the fragment related options were initialised and contained 0 for the maximum frame size. This resulted in a DIV by 0 that caused an abort on platforms that throw an exception for that. CVE: 2023-46849 Only people with --fragment in their config are affected |
| CVE 2023 46850.patch | (download) |
src/openvpn/ssl.c |
8 7 + 1 - 0 ! |
[patch] fix using to_link buffer after freed When I refactored the tls_state_change method in 9a7b95fda5 I accidentally changed a break into a return true while it should return a false. The code here is extremely fragile in the sense that it assumes that settings a keystate to S_ERROR cannot have any outgoing buffer or we will have a use after free. The previous break and now restored return false ensure this by skipping any further tls_process_state loops that might set to ks->S_ERROR and ensure that the to_link is sent out and cleared before having more loops in tls_state_change. CVE: 2023-46850 This affects everyone, even with tls-auth/tls-crypt enabled. |
| CVE 2024 28882.patch | (download) |
src/openvpn/forward.c |
15 11 + 4 - 0 ! |
[patch] only schedule_exit() once MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If an exit has already been scheduled we should not schedule it again. Otherwise, the exit signal is never emitted if the peer reschedules the exit before the timeout occurs. schedule_exit() now only takes the context as argument. The signal is hard coded to SIGTERM, and the interval is read directly from the context options. Furthermore, schedule_exit() now returns a bool signifying whether an exit was scheduled; false if exit is already scheduled. The call sites |
| CVE 2024 5594.patch | (download) |
src/openvpn/buffer.c |
17 17 + 0 - 0 ! |
[patch] properly handle null bytes and invalid characters in control messages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes OpenVPN more picky in accepting control message in two aspects: - Characters are checked in the whole buffer and not until the first NUL byte - if the message contains invalid characters, we no longer continue evaluating a fixed up version of the message but rather stop processing it completely. Previously it was possible to get invalid characters to end up in log files or on a terminal. This also prepares the logic a bit in the direction of having a proper framing of control messages separated by null bytes instead of relying on the TLS framing for that. All OpenVPN implementations write the 0 bytes between control commands. This patch also include several improvement suggestion from Reynir (thanks!). CVE: 2024-5594 Reported-By: Reynir Bjrnsson <reynir@reynir.dk> |
| sample keys renew 10 years.patch | (download) |
sample/sample-config-files/loopback-client |
313 157 + 156 - 0 ! |
[patch] sample-keys: renew for the next 10 years Old expiration was October 2024, less than a year away. Give everyone the chance to get the new keys before tests start failing. |
| CVE 2025 2704.patch | (download) |
src/openvpn/ssl.c |
26 22 + 4 - 0 ! |
[patch] allow tls-crypt-v2 to be setup only on initial packet of a session This fixes an internal server error condition that can be triggered by a malicous authenticated client, a very unlucky corruption of packets in transit or by an attacker that is able to inject a specially created packet at the right time and is able to observe the traffic to construct the packet. The error condition results in an ASSERT statement being triggered, NOTE: due to the security sensitive nature, this patch was prepared under embargo on the security@openvpn.net mailing list, and thus has no publically available "mailing list discussion before merge" URL. CVE: 2025-2704 |