FEDORA-EPEL-2011-3154 created by robert 12 years ago for Fedora EPEL 5

This update includes the following upstream fixes and changes:

2010.11.09 -- Version 2.1.4

  • Fix problem with special case route targets ('remote_host'): The init_route() function will leave &netlist untouched for get_special_addr() routes ("remote_host" being one of them). netlist is on stack, contains random garbage, and netlist.len will not be 0 - thus, random stack data is copied from[] until the route_list is full. Thanks to Teodo MICU and Gert Doering for finding and fixing this issue.

2010.08.20 -- Version 2.1.3

  • Windows build fixes: Attempt to fix issue where domake-win build system was not properly signing drivers and .exe files. This change is only affecting the Windows build scripts and not the OpenVPN code base.

2010.08.09 -- Version 2.1.2

  • Windows security issue: Fixed potential local privilege escalation vulnerability in Windows service. The Windows service did not properly quote the executable filename passed to CreateService. A local attacker with write access to the root directory C:\ could create an executable that would be run with the same privilege level as the OpenVPN Windows service. However, since non-Administrative users normally lack write permission on C:\, this vulnerability is generally not exploitable except on older versions of Windows (such as Win2K) where the default permissions on C:\ would allow any user to create files there. Credit: Scott Laurie, MWR InfoSecurity
  • Added Python-based based alternative build system for Windows using Visual Studio 2008 (in win directory).
  • When aborting in a non-graceful way, try to execute do_close_tun in init.c prior to daemon exit to ensure that the tun/tap interface is closed and any added routes are deleted.
  • Fixed an issue where AUTH_FAILED was not being properly delivered to the client when a bad password is given for mid-session reauth, causing the connection to fail without an error indication.
  • Don't advance to the next connection profile on AUTH_FAILED errors.
  • Fixed an issue in the Management Interface that could cause a process hang with 100% CPU utilization in --management-client mode if the management interface client disconnected at the point where credentials are queried.
  • Fixed an issue where if reneg-sec was set to 0 on the client, so that the server-side value would take precedence, the auth_deferred_expire_window function would incorrectly return a window period of 0 seconds. In this case, the correct window period should be the handshake window period.
  • Modified ">PASSWORD:Verification Failed" management interface notification to include a client reason string: ">PASSWORD:Verification Failed: 'AUTH_TYPE' ['REASON_STRING']"
  • Enable exponential backoff in reliability layer retransmits.
  • Set socket buffers (SO_SNDBUF and SO_RCVBUF) immediately after socket is created rather than waiting until after connect/listen.
  • Management interface performance optimizations:
    • Added env-filter MI command to perform filtering on env vars passed through as a part of --management-client-auth
    • man_write will now try to aggregate output into larger blocks (up to 1024 bytes) for more efficient i/o
  • Fixed minor issue in Windows TAP driver DEBUG builds where non-null-terminated unicode strings were being printed incorrectly.
  • Fixed issue on Windows with MSVC compiler, where TCP_NODELAY support was not being compiled in.
  • Proxy improvements:
    • Improved the ability of http-auth "auto" flag to dynamically detect the auth method required by the proxy.
    • Added http-auth "auto-nct" flag to reject weak proxy auth methods.
    • Added HTTP proxy digest authentication method.
    • Removed extraneous openvpn_sleep calls from proxy.c.
  • Implemented http-proxy-override and http-proxy-fallback directives to make it easier for OpenVPN client UIs to start a pre-existing client config file with proxy options, or to adaptively fall back to a proxy connection if a direct connection fails.
  • Implemented a key/value auth channel from client to server.
  • Fixed issue where bad creds provided by the management interface for HTTP Proxy Basic Authentication would go into an infinite retry-fail loop instead of requerying the management interface for new creds.
  • Added support for MSVC debugging of openvpn.exe in "# Build debugging version of openvpn.exe", "!define PRODUCT_OPENVPN_DEBUG"
  • Implemented multi-address DNS expansion on the network field of route commands: When only a single IP address is desired from a multi-address DNS expansion, use the first address rather than a random selection.
  • Added --register-dns option for Windows.
  • Fixed some issues on Windows with --log, subprocess creation for command execution, and stdout/stderr redirection.
  • Fixed an issue where application payload transmissions on the TLS control channel (such as AUTH_FAILED) that occur during or immediately after a TLS renegotiation might be dropped.
  • Added warning about tls-remote option in man page.

This update has been submitted for testing by robert.

12 years ago

This update has been pushed to testing

12 years ago

This update has reached 14 days in testing and can be pushed to stable now if the maintainer wishes

12 years ago

This update has been submitted for stable by robert.

12 years ago

This update has been pushed to stable

12 years ago

Please login to add feedback.

Content Type
Test Gating
Unstable by Karma
Stable by Karma
Stable by Time
12 years ago
in testing
12 years ago
in stable
12 years ago

Automated Test Results