Debian Patches
Status for openvpn/2.6.14-1+deb13u1
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| move_log_dir.patch | Set default logdir to /var/log/openvpn https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303 | Jörg Frings-Fürst <debian@jff-webhosting.net> | not-needed | debian | 2017-10-03 | |
| auth-pam_libpam_so_filename.patch | Fix libpam.so filename to /lib/libpam.so.0 in pam plugin=================================================================== | Alberto Gonzalez Iniesta <agi@inittab.org> | no | debian | ||
| openvpn-pkcs11warn.patch | Warn users about deprecated pkcs11 options=================================================================== | Florian Kulzer <florian.kulzer+debian@icfo.es> | no | debian | ||
| fix-ftbfs-kernel-6.16.patch | [PATCH] dco linux: avoid redefining ovpn enums (2.6) Starting with Linux kernel version 6.16, a couple of ovpn-related enum definitions were introduced in the `include/uapi/linux/if_link.h` header. Redefining them in openvpn when they are already present in the system headers can lead to conflicts or build issues. This commit ensures that enum redefinitions are avoided by conditionally using the existing definitions from the system header when available. This is the port to release/2.6 based on commit 1d3c2b67a73a0aa011c13e62f876d24e49d41df0. |
Frank Lichtenheld <frank@lichtenheld.com> | no | 2025-08-01 | ||
| check-message-id.patch | [PATCH] Check message id/acked ids too when doing sessionid cookie checks This fixes that control packets on a floating client can trigger creating a new session in special circumstances: To trigger this circumstance a connection needs to - starts on IP A - successfully floats to IP B by data packet - then has a control packet from IP A before any data packet can trigger the float back to IP A and all of this needs to happen in the 60s time that hmac cookie is valid in the default configuration. In this scenario we would trigger a new connection as the HMAC session id would be valid. This patch adds checking also of the message-id and acked ids to discern packet from the initial three-way handshake where these ids are 0 or 1 from any later packet. This will now trigger (at verb 4 or higher) a messaged like: Packet (P_ACK_V1) with invalid or missing SID instead. Also remove a few duplicated free_tls_pre_decrypt_state in test_ssl. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1184 (backported from commit 518e122b42739b0dbb54e7169a8a3aadb4773125) |
Arne Schwabe <arne@rfc2549.org> | no | 2025-09-16 | ||
| CVE-2025-13086.patch | [PATCH] Fix memcmp check for the hmac verification in the 3way handshake being inverted This is a stupid mistake but causes all hmac cookies to be accepted, thus breaking source IP address validation. As a consequence, TLS sessions can be openend and state can be consumed in the server from IP addresses that did not initiate an initial connection. While at it, fix check to only allow [t-2;t] timeslots, disallowing HMACs coming in from a future timeslot. (cherry picked from commit 68ec931e7fb4af11d5ba0d4283df0350083fd373) |
Arne Schwabe <arne@rfc2549.org> | no | 2025-10-27 |
All known versions for source package 'openvpn'
- 2.7.0~rc3-1 (sid, forky)
- 2.6.14-1+deb13u1 (trixie-security, trixie-proposed-updates)
- 2.6.14-1 (trixie)
- 2.6.3-1+deb12u4 (bookworm-proposed-updates, bookworm-security)
- 2.6.3-1+deb12u3 (bookworm)