NCL-1834 : Address CVEs which affect - OpenVPN: 2.0 - 2.6.9 #2
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was missing from src/openvpn/Makefile.am. Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26085.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit ffcf20c)
The undefined behaviour USAN clang checker found this. The optimiser of clang/gcc will optimise the memcpy away in the auth_token case and output excactly the same assembly on amd64/arm64 but it is still better to not rely on undefined behaviour. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26103.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit f6ccff6)
The version 3.5.3 triggers undefined behaviour with the usan sanatizer. Updating LibreSSSL to 3.7.0 does unfortunately does not fix the issue but at least we are now using a current version. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26105.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit dc8f1f3)
This allows identifying the source of undefined behaviour more easily from the github action logs. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26102.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 98f2950)
When reviweing OpenVPN#231 I noticed this was missing from Changes.rst. Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26121.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit b2e4946)
- An item added to undo-list was not removed on error, causing attempt to free again in Undo(). Also fix a memory leak possibility in the same context. Github: fixes OpenVPN#232 v2: Split add and delete functions and reuse the delete function for cleanup. Signed-off-by: Selva Nair <[email protected]> Acked-by: Lev Stipakov <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26130.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit b761cb9)
Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Lev Stipakov <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26145.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 8aeec3a)
At this point it might be easier to create a dedicated function for Windows... Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Lev Stipakov <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26140.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 48495ce)
Relevant defines/typedefs: typedef UINT_PTR SOCKET; if defined(_WIN64) typedef unsigned __int64 UINT_PTR; else typedef unsigned int UINT_PTR; endif ifdef _WIN64 define PRIuPTR PRIu64 else define PRIuPTR PRIu32 endif Remove duplicated include of inttypes.h Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Lev Stipakov <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26166.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit a95705b)
Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Lev Stipakov <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26141.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 2dc2d16)
During the build of LibreSSL portable it pulls in a branch from OpenBSD upstream. Unfortunately they use master there instead of a fixed branch. So we work around this issue. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/search?l=mid&[email protected] Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 589cca1)
Followin DHCP options: DOMAIN, ADAPTER_DOMAIN_SUFFIX, DNS, WINS don't require DHCP server in order to be used. This change allows those options to be used with dco and wintun drivers. If an option specified which requires DHCP server and tap-windows6 driver is not used, print a clear error message instead of obscure reference to --ip-win32. Reported-by: Marek Zarychta Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Antonio Quartulli <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26169.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 469158f)
- Eliminates repeated warnings such as warning: source file '$(openvpn_srcdir)/env_set.c' is in a subdirectory, but option 'subdir-objects' is disabled - Enabled only for automake >= 1.16 as older versions have a buggy implementation of this option Main side effect of this option is that object files like openvpnserv-blockdns.o are now created in src/openvpn where block-dns.c resides instead of in src/openvpnserv. Same for object files for sources from $(openvpn_srcdir) compiled into test executables. See also past discussion on this topic: https://www.mail-archive.com/[email protected]/msg00013.html Signed-off-by: Selva Nair <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26147.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 8b915c4)
overlapped_io_init() has a "bool tuntap_buffer" argument which is only passed onwards to alloc_buf_sock_tun(), which does nothing with it. Remove from both functions. v2: move alloc_buf_sock_tun() to win32.c v3: leave alloc_buf_sock_tun() where it is, and fix non-WIN32 call from socket.c Signed-off-by: Gert Doering <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26099.h tml Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit bdc842d72e92995261bac3579120c94f93e4064a) Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26122.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 092cead)
My mingw compiler/headers (mingw-w64 10.0.0 on macOS) seem to be more pendantic than the one that comes with Ubuntu 22.04 (github actions) or any of the other platforms including msvc/normal windows header. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Selva Nair <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26182.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit e80720e)
- Minor changes to the build system to include some dependencies for Windows build - test_tls_crypt not built as it will pull in win32.c and its dependencies - If cross-compiling, "make check" will only build the tests but not run any. Copy to Windows and run manually. Executables are in <buid-dir>/tests/unit_tests/openvpn/.libs/ and these depend on cmocka.dll in addition to openssl libs that some tests link to. Building with mingw on Windows should run the tests (untested). v2: networking_testdriver was mistakenly enabled to run, while originally it was only set to build. Corrected. v3: exclude check_engine_keys.sh when cross-compiling As suggested by Arne Schwabe <[email protected]> Signed-off-by: Selva Nair <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26188.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit e3ad1fc)
WinAPI uses __stdcall calling convention on x86. Wrong calling convention causes UB, which in this case breaks dco-win functionality. Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26113.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit b783608)
Instead of passing a value and a bool just pass the value and 0 if the caller does not want the value to be added. This also allows the function to be used by a function without a frame struct. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26223.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit e759c0e)
Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26224.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 48d27e2)
Socket is a handle on Windows, which is usually logged in hex. Also an interesting value is INVALID_SOCKET, which is ~0. PRIuPTR prints decimals, and for INVALID_SOCKET it prints something like 2023-02-10 14:45:21 us=906000 write to TUN/TAP : Jrjestelmkutsulle annettu data-alue on liian pieni. (fd=18446744073709551615,code=122) PRIxPTR prints hex, and INVALID_SOCKET looks a bit nicer: 2023-02-10 15:17:11 us=828000 write to TUN/TAP : Jrjestelmkutsulle annettu data-alue on liian pieni. (fd=ffffffffffffffff,code=122) Reported-by: Selva Nair <[email protected]> Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Acked-by: Antonio Quartulli <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26220.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 6731314)
This runs each test in its own action since order of stderr and stdout is seemingly random in github action Windows output and this way at least tests outputs are grouped by test Patch v2: use -static-libgcc to avoid comping gcc runtime libraries. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Selva Nair <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26204.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 9719393)
Newer OpenVPN 3 core versions now allow limited configuration of ciphers:
// Allow usage of legacy (cipher) algorithm that are no longer
// considered safe
// This includes BF-CBC, single DES and RC2 private key encryption.
// With OpenSSL 3.0 this also instructs OpenSSL to load the legacy
// provider.
bool enableLegacyAlgorithms = false;
// By default modern OpenVPN version (OpenVPN 2.6 and OpenVPN core
// 3.7) will only allow
// preferred algorithms (AES-GCM, Chacha20-Poly1305) that also work
// with the newer DCO
// implementations. If this is enabled, we fall back to allowing all
// algorithms (if these are
// supported by the crypto library)
bool enableNonPreferredDCAlgorithms = false;
Adjust the man page section accordingly but only really mention the AEAD
ciphers to be always present and that they should be included in the
data-ciphers option.
Signed-off-by: Arne Schwabe <[email protected]>
Acked-by: Gert Doering <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg26226.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 4da513d)
- With various ways of specifying the selector-string to the "--cryptoapicert" option, its not immediately obvious which certificate gets selected from the store. Log it. The "name" logged is a friendly name (if present), or a representative element of the subject (usually the common-name). Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26093.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit ddffcea)
- Require xkey-provider (thus OpenSSL 3.01+) for --cryptoapicert Note: Ideally we should also make ENABLE_CRYPTOAPI conditional on HAVE_XKEY_PROVIDER but that looks hard unless we can agree to move HAVE_XKEY_PROVIDER to configure/config.h. v2: use "binary" instead of "version" in the error message Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26131.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 4b28831)
v2: Moved the "parse_hexstring" chunk to a function for clarity and to permit unit-testing. A test is submitted as a follow up patch. Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26146.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 94bbe98)
- Certificate selection string can now specify a partial issuer name string as "--cryptoapicert ISSUER:<string>" where <string> is matched as a substring of the issuer (CA) name in the certificate. Partial case-insensitive matching against the "issuer name" is used. Here "issuer name" is a text representation of the RDN's separated by commas. E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA". See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR as "FindType" for more details. As the order of RDN's is not well-defined[*] and type names like "OU" or "CN" are not included, its best to match against a single attribute like the CN of the issuer: E.g., --cryptoapicert "ISSUER:Acme Root" [*] Windows appears to order RDN's in the reverse order to which its written in the certificate but do not rely on this. Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26092.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit b9e0e40)
…ement The Android implementation is relying on the management interface to be always available. Trying to run the Android binary without the mangament interface outside the app leads to a segfault. Exit with a FATAL error instead. Signed-off-by: Arne Schwabe <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26288.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 3132bea)
DCO doesn't support proxy and we already disable DCO is proxy is set in profile. Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Antonio Quartulli <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26287.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 45a1cb2)
Automatically disabled when
- iproute2 is enabled
(Don't want to force people specifying --disable-dco explicitely)
- libnv is missing on FreeBSD
(FreeBSD version too old anyway)
Will still error out if libnl-genl is missing on Linux to
make people aware of new dependency.
v2: error out when libnl-genl is missing as discussed with ordex on
IRC.
v3:
- improvements to the messages, suggested by Selva
- further improvements to the default specification, trying to make it clear
- if enabling iproute2, do not test for libnl-genl
v4: add updates for GHA
v5:
- v4 was missing the changes of v3. v5 combines the changes from v3 and v4
- fix build failure GHA/ubuntu1804/mbedtls
- fix build failure GHA/ubuntu2204/libressl
Signed-off-by: Frank Lichtenheld <[email protected]>
Acked-by: Selva Nair <[email protected]>
Acked-by: Antonio Quartulli <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg26272.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit 2a1a21e)
Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg26281.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 5b748ad)
These are mostly redundant with client/server.conf Let's try to manage to maintain one set of sample configurations before we branch out further. Change-Id: I199541fea5a76c8edef7f67d2dbfc476987dc2f7 Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Arne Schwabe <[email protected]> Acked-by: Antonio Quartulli <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28316.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit f8a8c78)
Change-Id: If825e5b1ebc6eecc9e5398f0d8274927b53e5b83 Signed-off-by: Martin Rys <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Signed-off-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28318.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 15b7403)
Probably introduced by copy & paste since there is no COMP_ALGV2_LZO. Github: OpenVPN#500 Change-Id: Id6b038c1c0095b2f22033e9dc7090e2507a373ab Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28251.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 4076d24)
github: OpenVPN/pull/517 Change-Id: I4f349963b41ebe155d3866da8955f2d7245d0394 Signed-off-by: wellweek <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28368.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit ad39f99)
The systemd unit files for both client and server were referencing outdated documentation as they were hard-coded to the OpenVPN 2.4.x release branch. Github: closes OpenVPN#457 Change-Id: Iee289aa5df9ee0e9a03c0dc562e45dd39836e794 Signed-off-by: Christoph Schug <[email protected]> Acked-by: Frank Lichtenheld <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28369.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit f65c656)
Individual tests can define a script to run to test whether they should be skipped. Included in this commit is an example check which checks whether we can do NTLM checks. This fails e.g. on recent versions of Fedora with mbedTLS (tested with Fedora 39) or when NTLM support is not compiled in. v2: - ntlm_support: - support OpenSSL 3 - allow to build without cmocka v3: - add example to t_client.rc-sample - t_client.sh code style - use syshead.h in error.h v5: - rename SKIP_x to CHECK_SKIP_x Change-Id: I13ea6752c8d102eabcc579e391828c05d5322899 Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/search?l=mid&[email protected] Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 0c7cf06)
The licenses are compatible now, so we can remove the warning. Change-Id: I1879c893ed19b165fd086728fb97951eac251681 Signed-off-by: Max Fillinger <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28400.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 91eb460)
Change-Id: Ic377958d303b1dcfa9d877d3a63ecf39bdff7aef Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Gert Doering <[email protected]> Message-Id: <[email protected]> URL: https://sourceforge.net/p/openvpn/mailman/message/58749316/ Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit b25c6d7)
Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:
- HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
then HKLM\SOFTWARE\OpenVPN, which is installation directory)
- System directory
Loading from UNC paths is disallowed.
Note: This change affects only Windows environments.
CVE: 2024-27903
Change-Id: I154a4aaad9242c9253a64312a14c5fd2ea95f40d
Reported-by: Vladimir Tokarev <[email protected]>
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Selva Nair <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg28416.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit aaea545)
- Update to Node 20 versions of actions to avoid warnings - Update to current vcpkg - Update mbedTLS and LibreSSL to latest releases Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126 Signed-off-by: Frank Lichtenheld <[email protected]> Acked-by: Arne Schwabe <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28422.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 36ff5cd)
Remote access to the service pipe is not needed and might be a potential attack vector. For example, if an attacker manages to get credentials for a user which is the member of "OpenVPN Administrators" group on a victim machine, an attacker might be able to communicate with the privileged interactive service on a victim machine and start openvpn processes remotely. CVE: 2024-24974 Microsoft case number: 85925 Reported-by: Vladimir Tokarev <[email protected]> Change-Id: I8739c5f127e9ca0683fcdbd099dba9896ae46277 Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Heiko Hund <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28419.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 2c1de0f)
When reading message from the pipe, we first peek the pipe to get the size of the message waiting to be read and then read the message. A compromised OpenVPN process could send an excessively large message, which would result in a stack-allocated message buffer overflow. To address this, we terminate the misbehaving process if the peeked message size exceeds the maximum allowable size. CVE: 2024-27459 Microsoft case number: 85932 Reported-by: Vladimir Tokarev <[email protected]> Change-Id: Ib5743cba0741ea11f9ee62c4978b2c6789b81ada Signed-off-by: Lev Stipakov <[email protected]> Acked-by: Heiko Hund <[email protected]> Message-Id: <[email protected]> URL: https://www.mail-archive.com/[email protected]/msg28420.html Signed-off-by: Gert Doering <[email protected]> (cherry picked from commit 989b22c)
Commit
45a1cb2 ("Disable DCO if proxy is set via management")
attempted to disable DCO when proxy is set via management interface. However,
at least on Windows this doesn't work, since:
- setting tuntap_options->disable_dco to true is not enough to disable DCO
- at this point it is a bit too late, since we've already done DCO-specific
adjustments
Since proxy can be set via management only if --management-query-proxy is
specified, the better way is to add a check to dco_check_startup_option().
Github: fixes OpenVPN#522
Change-Id: I16d6a9fefa317d7d4a195e786618328445bdbca8
Signed-off-by: Lev Stipakov <[email protected]>
Acked-by: Frank Lichtenheld <[email protected]>
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg28415.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit fd6b839)
version.m4, ChangeLog, Changes.rst Signed-off-by: Gert Doering <[email protected]>
…/NCL-1834--upgrade-openvpn-for-Sophos-Connect-Client-to-2.6.10
OpenVPN v2.6.3 release
2023.04.13 -- Version 2.6.3
Frank Lichtenheld (3):
GHA: remove Ubuntu 18.04 builds
vcpkg: request "tools" feature of openssl for MSVC build
doc: run rst2* with --strict to catch warnings
Lev Stipakov (1):
Support of DNS domain for DHCP-less drivers
Selva Nair (1):
Bug-fix: segfault in dco_get_peer_stats()
# -----BEGIN PGP SIGNATURE-----
#
# iQGcBAABAgAGBQJkN5nuAAoJEB2Cnv7KVigSFWgMAJlokghVcC2p6VvWEK0fB/jh
# N+Zl7UbCy7VHaaYSo9Q9tZLPi+cx/ooVp3zV/t+JCtxvQEH5s0m1MleOERnTpqjU
# ZY12Fuh5uzZHbe8FrVHMcxQg5HNumP1WrFuUCiuxuK05ZwfKiAEejKmmsLxBPVfN
# iezruj5IstzjEI4M3q6WGR1ilUkdJ4CnEFIGdiOA+IOb+DsPazTa8TjT0L6xgpiL
# TxUI9wF0ThkCOIgv0s+6RH9guBv5+TE/Z9K1ydmWIfnOsjjemTlGhtHJ+VJq+k5F
# 6l8v/5UMz3jjl1MDfBj2O9ilWToHHIzHIKmnIL1AkqmNxYXD1HZ7bAv7vFV8WKi6
# /koU+ZuJUgylPLz61yV3R1XN0cfM25PL77Vl7Zi5DKWppKMEF7vaW+eE1GinrMt8
# Qg+JsGf0jl9suPlJQVw6MREUbkQXknLpaJiv2YdSCwz5JYy+0TCV4Y0ABRvgRFw6
# DvMvIWVOVHnSqMDY2UONzYfXCKg1EUKvg4Or+3JJqQ==
# =QMJK
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu Apr 13 11:28:06 2023 IST
# gpg: using RSA key 1D829EFECA562812
# gpg: Can't check signature: No public key
…/NCL-1834--upgrade-openvpn-for-Sophos-Connect-Client-to-2.6.10
OpenVPN v2.6.4 release
2023.05.11 -- Version 2.6.4
Arne Schwabe (3):
Remove unused variable line
Add Apache2 linking with for new commits
Fix compile error on TARGET_ANDROID
Frank Lichtenheld (2):
man page: Remove cruft from --topology documentation
tests: do not include t_client.sh in dist
Kristof Provost (1):
DCO: support key rotation notifications
Michael Nix (1):
fix typo in help text: --ignore-unknown-option
Selva Nair (2):
Format Windows error message in Unicode
Bugfix: dangling pointer passed to pkcs11-helper
# -----BEGIN PGP SIGNATURE-----
#
# iQGcBAABAgAGBQJkXIayAAoJEB2Cnv7KVigSoI0L/ihQbhq1qJNYUO/4pTjqAiRr
# PHmdF6f5AHBye4oGrBj4a4zy8vqnoV0bnQxjvcRT4arwgBO9KPKZKsut/Mpg8NUP
# uHxs74nunVLAXTQJqLXO3ECLS/VmF/rNQlVGZqmnOCRTETwTcFfQWGGRxawtioyx
# tnn3sXSsgxoWlQCWGMpGSzMyYJJ/sgfiDvIeRBb5+ulwmv/QlaUXWVmjrxDgDXvH
# HaB5/hVA6i92rBAVbCwBVSgAAn6CNGIF4l+ho40yCH1QMS+4sKnthpUM2a7eKjul
# JCWOPtiZFQvXAAYC3opUbMyGuQjompSuNuUr7lQ/rTZWy3R/PED3Evif1VIl0DbB
# Fr+ac4+odoeQUhz4pDHPxfdxtWILfsxWmP9cYZ7+0aEZUo/FMiaofdAdbq32k9Qj
# 2gUBybWafCch1D1Q6YjLvOn5r5Pc9H8DQTAbkq2cpk3nPCr11Eh4EEw/eXOJsy7c
# 2eMV/xkltdYG/QwKB4/WUXx0kTIbCNEilhvUMxN+Xw==
# =38u/
# -----END PGP SIGNATURE-----
# gpg: Signature made Thu May 11 11:39:54 2023 IST
# gpg: using RSA key 1D829EFECA562812
# gpg: Can't check signature: No public key
…/NCL-1834--upgrade-openvpn-for-Sophos-Connect-Client-to-2.6.10
OpenVPN Relase v2.6.6
2023.08.14 -- Version 2.6.6
Antonio Quartulli (1):
configure.ac: fix typ0 in LIBCAPNG_CFALGS
Arne Schwabe (8):
Avoid unused function warning/error on FreeBSD (and potientially others)
fix warning with gcc 12.2.0 (compiler bug?)
Fix CR_RESPONSE mangaement message using wrong key_id
Print a more user-friendly error when tls-crypt-v2 client auth fails
Ignore Ipv6 route delete request on Android and set ipv4 verbosity to 7
Revert commit 423ced9
Implement using --peer-fingerprint without CA certificates
show extra info for OpenSSL errors
David Sommerseth (1):
ntlm: Clarify details on NTLM phase 3 decoding
Frank Lichtenheld (8):
dist: add more missing files only used in the MSVC build
dist: Include all documentation in distribution
unit_tests: Add missing cert_data.h to source list for unit tests
test_tls_crypt: Improve mock() usage to be more portable
Remove old Travis CI related files
options: Do not hide variables from parent scope
pkcs11_openssl: Disable unused code
route: Fix overriding return value of add_route3
George Pchelkin (1):
fix typo: dhcp-options to dhcp-option in vpn-network-options.rst
Gert Doering (1):
Make received OCC exit messages more visible in log.
Heiko Hund (1):
work around false positive warning with mingw 12
Lev Stipakov (3):
tun.c: enclose DNS domain in single quotes in WMIC call
manage.c: document missing KID parameter
Set WINS servers via interactice service
Sergey Korolev (1):
dco-linux: fix counter print format
# -----BEGIN PGP SIGNATURE-----
#
# iQGcBAABAgAGBQJk2ieqAAoJEB2Cnv7KVigSO1YL/05kPHUdOyh5Tk4hcax5u77c
# /J693A/3bsch5vyOCd15+cSW+VbycZsGdOfw3ZYgl+2UXrSY/J2s4RN4m85dPw+J
# TecqPETsblTyBCaqtMcA6494PLqrLTg/G97yBS3GKMYZWttjXzwi59/R9ED40jtE
# N0H5PltAaWjMflDH4mj6Dk4vDSz8yuCtpEbXfF+ytJQvjGnft+nx9gzKmMlz0H7y
# KFdBqi+3oWBIZ4mqroxSNn8Kf0s5nZ9vxvS4NTaFwtKWPl8CfZn/vaY5OLUJkeTO
# nvpAE+bIM/qghfsbR7tASK5m50CVcmAxPLta0iOYrlyDTSdlFIpEro3+MqV/Ki1C
# GYWiiVXpo/xgd8dnU0BARk7/xscXoL0pYFXDxWrdXqaTFQw1C2zq8J0GRdMOePTY
# o5Ewp3b14pqI1cxoS35kU6879elT3lFOrdKeeCWDDsCVOWczCcKWIfy6tzrXhK5D
# wBmA3rRe7H3FnCEKIFxitj3UlNEH8571VlTdc3Q4kw==
# =9uG4
# -----END PGP SIGNATURE-----
# gpg: Signature made Mon Aug 14 18:40:02 2023 IST
# gpg: using RSA key 1D829EFECA562812
# gpg: Can't check signature: No public key
…/NCL-1834--upgrade-openvpn-for-Sophos-Connect-Client-to-2.6.10
OpenVPN Release v2.6.8
2023.11.17 -- Version 2.6.8
Aquila Macedo (1):
doc: Correct typos in multiple documentation files
Arne Schwabe (1):
Do not check key_state buffers that are in S_UNDEF state
Frank Lichtenheld (1):
platform.c: Do not depend Windows build on HAVE_CHDIR
Lev Stipakov (3):
config.h: fix incorrect defines for _wopen()
Make --dns options apply for tap-windows6 driver
Warn if pushed options require DHCP
# -----BEGIN PGP SIGNATURE-----
#
# iQGcBAABAgAGBQJlVxbxAAoJEB2Cnv7KVigSKYkMAI0gMvKZgGF4QhcQ0eZYIy1M
# UbnLDkeIu4y862F8Nr/ynvcLK8Pmx5uYaKdAlYFn30c1ccQ/qYCeavvp2eNx/2Td
# +NMfVkolDOjHv6LcPaVr96o4luSdypSQPVdUClzn7ERpn54eGs6GCPklIGOV7sTo
# 4K9EkuENT5Vp1MTt4o5GC1jASC9+KfEbGAO7E2aSfKhfgMpnltjLUij8a/j96OJt
# nQ/5zB++0pHNxumb0QzBBMgSrtRlz8PSQAWnifFoF9+4Z/VGtQhMokCqKj7A3lPK
# kZP4ohZTzAFf5KvYXS636gFSxPW4/il3iBd8+OxsvIpG4efhWiftV9feHTR3DVMV
# 0E9G9UGSQaAQ9ZaVYsb70oN7IzkOjVFkwlpP4y+eWMD4js05kKK5CKAOfO9eYd+c
# MZm/D6KlxG1i52t+NZP34+MoUC84+RfsM2A5enpnWyEfttsIlVyTxohO3BJBTo2Q
# 8TcrklFtFY4rdrxNfg8FLjA9IybXBhL+YZEd0XSXww==
# =Adef
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Nov 17 13:02:01 2023 IST
# gpg: using RSA key 1D829EFECA562812
# gpg: Can't check signature: No public key
SeemaKodikanyana
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is to upgrade Sophos OpenVPN source code repo to 2.6.10 which addresses below CVEs.
CVE-2024-27459
CVE-2024-24974
CVE-2024-27903
CVE-2024-1305