Accepting request 1126537 from home:msaquib:branches:network:vpn

- update to 2.6.7:
  * CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
    use a send buffer after it has been free()d in some circumstances,
    causing some free()d memory to be sent to the peer. All configurations
    using TLS (e.g. not using --secret) are affected by this issue. 
  * CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
    restore --fragment configuration in some circumstances, leading to a
    division by zero when --fragment is used. On platforms where division
    by zero is fatal, this will cause an OpenVPN crash.
  * DCO: warn if DATA_V1 packets are sent by the other side - this a hard
    incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
    server, and the only fix is to use --disable-dco.
  * Remove OpenSSL Engine method for loading a key. This had to be removed
    because the original author did not agree to relicensing the code with
    the new linking exception added. This was a somewhat obsolete feature
    anyway as it only worked with OpenSSL 1.x, which is end-of-support.
  * add warning if p2p NCP client connects to a p2mp server - this is a
    combination that used to work without cipher negotiation (pre 2.6 on
    both ends), but would fail in non-obvious ways with 2.6 to 2.6.
  * add warning to --show-groups that not all supported groups are listed
    (this is due the internal enumeration in OpenSSL being a bit weird,
    omitting X448 and X25519 curves).
  * --dns: remove support for exclude-domains argument (this was a new 2.6
    option, with no backend support implemented yet on any platform, and it
    turns out that no platform supported it at all - so remove option again)
  * warn user if INFO control message too long, do not forward to management
    client (safeguard against protocol-violating server implementations)
  * DCO-WIN: get and log driver version (for easier debugging).
  * print "peer temporary key details" in TLS handshake
  * log OpenSSL errors on failure to set certificate, for example if the

OBS-URL: https://build.opensuse.org/request/show/1126537
OBS-URL: https://build.opensuse.org/package/show/network:vpn/openvpn?expand=0&rev=197
This commit is contained in:
Mohd Saquib 2023-11-15 08:05:59 +00:00 committed by Git OBS Bridge
parent 43bcc348c4
commit 475b121128
6 changed files with 59 additions and 20 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3b074f392818b31aa529b84f76e8b5e4ad03fca764924f46d906bceaaf421034
size 1901689

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmTbN38ACgkQQdIJZcLo
LcdAHBAAo8g+SFz/nugWizgbNwFVyS020Wj8NCX1Miq5z+0CD+M8L43M3KVUQ8TD
oQkHxiUQx0R2foNojXC9jS3Aa/a//c6zbVBmlK8Y9X5vesUX1ii4rQ/eOgy/RkqA
EX1/TYhHFLSqepdDbhXwl7awj/9HZQLh1yJy3Xx6cmOE2kVuvuvcTn5zc6mKpJzY
665lxmXv/Vz/0c/5vAfOV/X/lG0Mgqalv7gbFL3vrLRTHJlmw8o3OCQNkpk2uHtL
pWf3mU7lbo/nZO4WGctEXBcnKTGsDJ3IXc5a0i4ufeDBXiJoFHHWfZvSvsvmxcnc
rTE0uteQYDRhz7//1HDe8rmvC6SFiZgzOvxkjZlolBphe1KOy9csikbj/TSJdY1o
qTPvjzF1k6FUUuEkAQgNQfv1XmaSUlOmQ1DofC0p4fxtb99nNZ6J6syVY8t/WF2e
hmno5/QmHe0aqaxLzy+oLUKv0NhT6MJVIoeG6yB0yIpgIfdmUafDml3qSuGdqgyk
NL4f9zyo2V81qo6VaF2t+f+N2vNbDn0FEHM6oJJ/Ig3EX6vccMPSSe4IrzaCe5ZG
McaxOJ2kVYhiIbPuoshiQEGKhXJwmdaJg8ESGvlVr08+r3U6U50WCkObnM0fN1ab
4pNVMXh+4jL9UKMaTCboVhWS4sY9IZfn1AAcPHcAyHzq9vxq118=
=n6/m
-----END PGP SIGNATURE-----

3
openvpn-2.6.7.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ee9877340b1d8de47eb5b52712c3366855fa6a4a1955bf950c68577bd2039913
size 1895682

16
openvpn-2.6.7.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEvlj1OdBZuAYxwSlKQdIJZcLoLccFAmVMo8cACgkQQdIJZcLo
LcfdHhAArFFPHjJIuKNBu6ipSWIvhzBnjGOo70fTdtctpj8P/dc2wg58iM9mPh66
de4H+YbdBJqYhPGgrOIQg3RgWWU/11wcfqhgWPuCTDGC9zQEpK+NpBSPKZSXkBRe
29CscrTaVT8sapK7f7YeQp2PQwdKhZt0zkz+EV3/3IOYWd4CaJgSdEHlvxVp9fKF
chDv5LbbZVJ9oJH2hCpggerrHXwLBV7SHaUOASJiqIDGURr6qsmPQegmNFJN8rJJ
hXfhALUoUyhqOKhitSO/8H2lXzWG9G5eDUXQ7h0zTN82ytCfPAJ78YDpAcUQJ/7V
IMMAzRGVGlQ4z+eUhuEiFJnXs5mA7NanR4BxxMn+BhOB7LtPDrsJ2RnCBo+zfNh/
ZHtqVkKU0L05VpMJxi8pAchVD83XF3Cuvwz/rVpUNqwKPTR26AAw727qUjzs8Fe3
GugklilgGOERwUma+NK/idhee8qPaA/cWYNmcXnj0BttTt5eXKYwyeXB2mnQTvSO
JGsqqnaRR1A9PK0R31Ch2ASIjRsCw5BBg0XLutilCYzUsXZuUh/L8lOmfAgfJBzN
6Uk4Hpb3nPmRlE8F55WV0c0HsMG7t4Wu8mlqEZ5CMBEG/pyHdT/nKvqeBPZlfKow
hbSxUP7uGRG9DuChiAZf0PF7VY/dDi21Tr7nNP+kN3q9StYK/sc=
=1hkR
-----END PGP SIGNATURE-----

View File

@ -1,3 +1,42 @@
-------------------------------------------------------------------
Wed Nov 15 07:41:26 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>
- update to 2.6.7:
* CVE-2023-46850 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
use a send buffer after it has been free()d in some circumstances,
causing some free()d memory to be sent to the peer. All configurations
using TLS (e.g. not using --secret) are affected by this issue.
* CVE-2023-46849 OpenVPN versions between 2.6.0 and 2.6.6 incorrectly
restore --fragment configuration in some circumstances, leading to a
division by zero when --fragment is used. On platforms where division
by zero is fatal, this will cause an OpenVPN crash.
* DCO: warn if DATA_V1 packets are sent by the other side - this a hard
incompatibility between a 2.6.x client connecting to a 2.4.0-2.4.4
server, and the only fix is to use --disable-dco.
* Remove OpenSSL Engine method for loading a key. This had to be removed
because the original author did not agree to relicensing the code with
the new linking exception added. This was a somewhat obsolete feature
anyway as it only worked with OpenSSL 1.x, which is end-of-support.
* add warning if p2p NCP client connects to a p2mp server - this is a
combination that used to work without cipher negotiation (pre 2.6 on
both ends), but would fail in non-obvious ways with 2.6 to 2.6.
* add warning to --show-groups that not all supported groups are listed
(this is due the internal enumeration in OpenSSL being a bit weird,
omitting X448 and X25519 curves).
* --dns: remove support for exclude-domains argument (this was a new 2.6
option, with no backend support implemented yet on any platform, and it
turns out that no platform supported it at all - so remove option again)
* warn user if INFO control message too long, do not forward to management
client (safeguard against protocol-violating server implementations)
* DCO-WIN: get and log driver version (for easier debugging).
* print "peer temporary key details" in TLS handshake
* log OpenSSL errors on failure to set certificate, for example if the
algorithms used are in acceptable to OpenSSL (misleading message would be
printed in cryptoapi / pkcs11 scenarios)
* add CMake build system for MinGW and MSVC builds
* remove old MSVC build system
* improve cmocka unit test building for Windows
-------------------------------------------------------------------
Wed Aug 16 18:56:40 UTC 2023 - Mohd Saquib <mohd.saquib@suse.com>

View File

@ -20,7 +20,7 @@
%define _rundir %{_localstatedir}/run
%endif
Name: openvpn
Version: 2.6.6
Version: 2.6.7
Release: 0
Summary: Full-featured SSL VPN solution using a TUN/TAP Interface
License: GPL-2.0-only WITH openvpn-openssl-exception