Commit 36e6270c authored by Alberto Gonzalez Iniesta's avatar Alberto Gonzalez Iniesta

Merge branch 'jessie'

Conflicts:
	debian/changelog
	debian/control
	debian/patches/series
parents db0b5876 b35ad09b
......@@ -7,6 +7,24 @@ openvpn (2.3.5-1) unstable; urgency=medium
-- Alberto Gonzalez Iniesta <agi@inittab.org> Wed, 29 Oct 2014 17:44:06 +0100
openvpn (2.3.4-5) unstable; urgency=high
* Apply upstream patch that fixes possible DoS by authenticated
clients. CVE-2014-8104
* Patch sample certs since they were expired and made the package
build fail. (Closes: #770835)
-- Alberto Gonzalez Iniesta <agi@inittab.org> Mon, 01 Dec 2014 16:10:37 +0100
openvpn (2.3.4-4) unstable; urgency=medium
* Use dh-systemd in order to enable the service unit.
(Closes: #768411)
* Add comment on /etc/default/openvpn file about options
not supported on systemd. (Closes: #768384)
-- Alberto Gonzalez Iniesta <agi@inittab.org> Fri, 07 Nov 2014 13:59:54 +0100
openvpn (2.3.4-3) unstable; urgency=medium
* Apply patch by Samuel Thibault to clean up temporary files.
......
......@@ -2,7 +2,7 @@ Source: openvpn
Section: net
Priority: optional
Maintainer: Alberto Gonzalez Iniesta <agi@inittab.org>
Build-Depends: debhelper (>= 7.0.50~), libssl-dev (>> 0.9.8g-9), liblzo2-dev, libpam0g-dev, libpkcs11-helper1-dev, pkg-config, dpkg-dev (>= 1.16.1), iproute2 [linux-any], net-tools [!linux-any], libsystemd-daemon-dev
Build-Depends: debhelper (>= 7.0.50~), libssl-dev (>> 0.9.8g-9), liblzo2-dev, libpam0g-dev, libpkcs11-helper1-dev, pkg-config, dpkg-dev (>= 1.16.1), iproute2 [linux-any], net-tools [!linux-any], dh-systemd (>= 1.5), libsystemd-daemon-dev
Standards-Version: 3.9.5
Homepage: http://www.openvpn.net/
Vcs-Git: git://anonscm.debian.org/collab-maint/openvpn.git
......
......@@ -16,6 +16,9 @@
#AUTOSTART="none"
#AUTOSTART="home office"
#
# WARNING: If you're running systemd the rest of the
# options in this file are ignored.
#
# Refresh interval (in seconds) of default status files
# located in /var/run/openvpn.$NAME.status
# Defaults to 10, 0 disables status file generation
......
From c5590a6821e37f3b29735f55eb0c2b9c0924138c Mon Sep 17 00:00:00 2001
From: Steffan Karger <steffan.karger@fox-it.com>
Date: Thu, 20 Nov 2014 13:43:05 +0100
Subject: [PATCH] Drop too-short control channel packets instead of asserting
out.
This fixes a denial-of-service vulnerability where an authenticated client
could stop the server by triggering a server-side ASSERT().
OpenVPN would previously ASSERT() that control channel packets have a
payload of at least 4 bytes. An authenticated client could trigger this
assert by sending a too-short control channel packet to the server.
Thanks to Dragana Damjanovic for reporting the issue.
This bug has been assigned CVE-2014-8104.
Signed-off-by: Steffan Karger <steffan.karger@fox-it.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1CED409804E2164C8104F9E623B08B9018803B0FE7@FOXDFT02.FOX.local>
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---
src/openvpn/ssl.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
Index: openvpn/src/openvpn/ssl.c
===================================================================
--- openvpn.orig/src/openvpn/ssl.c 2014-12-01 16:09:43.031080162 +0100
+++ openvpn/src/openvpn/ssl.c 2014-12-01 16:09:43.027080161 +0100
@@ -2028,7 +2028,11 @@
ASSERT (session->opt->key_method == 2);
/* discard leading uint32 */
- ASSERT (buf_advance (buf, 4));
+ if (!buf_advance (buf, 4)) {
+ msg (D_TLS_ERRORS, "TLS ERROR: Plaintext buffer too short (%d bytes).",
+ buf->len);
+ goto error;
+ }
/* get key method */
key_method_flags = buf_read_u8 (buf);
......@@ -6,3 +6,5 @@ route_default_nil.patch
kfreebsd_support.patch
accommodate_typo.patch
manpage_fixes.patch
0001-Drop-too-short-control-channel-packets-instead-of-as.patch
update_sample_certs.patch
This diff is collapsed.
......@@ -11,7 +11,7 @@ endif
export DEB_BUILD_MAINT_OPTIONS = hardening=+all
%:
dh $@
dh $@ --with systemd
override_dh_auto_configure:
dh_auto_configure -- $(shell dpkg-buildflags --export=configure) --enable-password-save --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --mandir=\$${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig $(ROUTE_ARGS) --with-plugindir=\$${prefix}/lib/openvpn --includedir=\$${prefix}/include/openvpn --enable-pkcs11 --enable-x509-alt-username --enable-systemd
......@@ -70,3 +70,6 @@ override_dh_installinit:
override_dh_compress:
dh_compress --exclude=.cnf --exclude=pkitool
override_dh_systemd_start:
dh_systemd_start --restart-after-upgrade
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment