Sync from SUSE:SLFO:Main openvpn revision de1118c31fae0594e1708567e8ed48c5
This commit is contained in:
parent
0a466739b7
commit
617ba957b4
87
openvpn-CVE-2024-28882.patch
Normal file
87
openvpn-CVE-2024-28882.patch
Normal file
@ -0,0 +1,87 @@
|
|||||||
|
diff -Naurp openvpn-2.6.8.orig/src/openvpn/forward.c openvpn-2.6.8/src/openvpn/forward.c
|
||||||
|
--- openvpn-2.6.8.orig/src/openvpn/forward.c 2024-09-05 12:43:17.633337355 +0200
|
||||||
|
+++ openvpn-2.6.8/src/openvpn/forward.c 2024-09-05 13:09:07.395797797 +0200
|
||||||
|
@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
- * Schedule a signal n_seconds from now.
|
||||||
|
+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now.
|
||||||
|
*/
|
||||||
|
-void
|
||||||
|
-schedule_exit(struct context *c, const int n_seconds, const int signal)
|
||||||
|
+bool
|
||||||
|
+schedule_exit(struct context *c)
|
||||||
|
{
|
||||||
|
+ const int n_seconds = c->options.scheduled_exit_interval;
|
||||||
|
+ /* don't reshcedule if already scheduled. */
|
||||||
|
+ if (event_timeout_defined(&c->c2.scheduled_exit))
|
||||||
|
+ {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
tls_set_single_session(c->c2.tls_multi);
|
||||||
|
update_time();
|
||||||
|
reset_coarse_timers(c);
|
||||||
|
event_timeout_init(&c->c2.scheduled_exit, n_seconds, now);
|
||||||
|
- c->c2.scheduled_exit_signal = signal;
|
||||||
|
+ c->c2.scheduled_exit_signal = SIGTERM;
|
||||||
|
msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds);
|
||||||
|
+ return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
diff -Naurp openvpn-2.6.8.orig/src/openvpn/forward.h openvpn-2.6.8/src/openvpn/forward.h
|
||||||
|
--- openvpn-2.6.8.orig/src/openvpn/forward.h 2024-09-05 12:43:17.636670737 +0200
|
||||||
|
+++ openvpn-2.6.8/src/openvpn/forward.h 2024-09-05 13:11:05.550847481 +0200
|
||||||
|
@@ -302,7 +302,8 @@ void reschedule_multi_process(struct con
|
||||||
|
|
||||||
|
void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf);
|
||||||
|
|
||||||
|
-void schedule_exit(struct context *c, const int n_seconds, const int signal);
|
||||||
|
+
|
||||||
|
+bool schedule_exit(struct context *c);
|
||||||
|
|
||||||
|
static inline struct link_socket_info *
|
||||||
|
get_link_socket_info(struct context *c)
|
||||||
|
diff -Naurp openvpn-2.6.8.orig/src/openvpn/push.c openvpn-2.6.8/src/openvpn/push.c
|
||||||
|
--- openvpn-2.6.8.orig/src/openvpn/push.c 2024-09-05 12:43:17.636670737 +0200
|
||||||
|
+++ openvpn-2.6.8/src/openvpn/push.c 2024-09-05 13:32:53.496512873 +0200
|
||||||
|
@@ -204,7 +204,11 @@ receive_exit_message(struct context *c)
|
||||||
|
* */
|
||||||
|
if (c->options.mode == MODE_SERVER)
|
||||||
|
{
|
||||||
|
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||||
|
+ if (!schedule_exit(c))
|
||||||
|
+ {
|
||||||
|
+ /* Return early when we don't need to notify management */
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5)
|
||||||
|
void
|
||||||
|
send_auth_failed(struct context *c, const char *client_reason)
|
||||||
|
{
|
||||||
|
- if (event_timeout_defined(&c->c2.scheduled_exit))
|
||||||
|
+ if (!schedule_exit(c))
|
||||||
|
{
|
||||||
|
msg(D_TLS_DEBUG, "exit already scheduled for context");
|
||||||
|
return;
|
||||||
|
@@ -401,7 +405,6 @@ send_auth_failed(struct context *c, cons
|
||||||
|
static const char auth_failed[] = "AUTH_FAILED";
|
||||||
|
size_t len;
|
||||||
|
|
||||||
|
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||||
|
|
||||||
|
len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed);
|
||||||
|
if (len > PUSH_BUNDLE_SIZE)
|
||||||
|
@@ -492,7 +495,7 @@ send_auth_pending_messages(struct tls_mu
|
||||||
|
void
|
||||||
|
send_restart(struct context *c, const char *kill_msg)
|
||||||
|
{
|
||||||
|
- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM);
|
||||||
|
+ schedule_exit(c);
|
||||||
|
send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH);
|
||||||
|
}
|
||||||
|
|
@ -1,3 +1,10 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Sep 6 03:28:12 UTC 2024 - Rahul Jain <rahul.jain@suse.com>
|
||||||
|
|
||||||
|
- Fix multiple exit notifications from authenticated clients will
|
||||||
|
extend the validity of a closing session (bsc#1227546 CVE-2024-28882)
|
||||||
|
Patchname:openvpn-CVE-2024-28882.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
|
Mon Nov 20 07:15:13 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
|
||||||
|
|
||||||
|
@ -37,6 +37,7 @@ Source9: %{name}.target
|
|||||||
Source10: %{name}-tmpfile.conf
|
Source10: %{name}-tmpfile.conf
|
||||||
Source11: rc%{name}
|
Source11: rc%{name}
|
||||||
Patch1: %{name}-2.3-plugin-man.dif
|
Patch1: %{name}-2.3-plugin-man.dif
|
||||||
|
Patch2: openvpn-CVE-2024-28882.patch
|
||||||
BuildRequires: iproute2
|
BuildRequires: iproute2
|
||||||
BuildRequires: libcap-ng-devel
|
BuildRequires: libcap-ng-devel
|
||||||
BuildRequires: liblz4-devel
|
BuildRequires: liblz4-devel
|
||||||
@ -118,6 +119,7 @@ This package provides the header file to build external plugins.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch1
|
%patch1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
|
sed -e "s|\" __DATE__|$(date '+%%b %%e %%Y' -r version.m4)\"|g" \
|
||||||
-i src/openvpn/options.c
|
-i src/openvpn/options.c
|
||||||
|
Loading…
Reference in New Issue
Block a user