Debian Patches

Status for openvpn/2.6.3-1+deb12u3

Patch Description Author Forwarded Bugs Origin Last update
sample-keys-renew-10-years.patch [PATCH] sample-keys: renew for the next 10 years
Old expiration was October 2024, less than a year away.
Give everyone the chance to get the new keys before tests
start failing.		 Frank Lichtenheld <frank@lichtenheld.com> no https://github.com/OpenVPN/openvpn/commit/78e0c5f2f57a18e8ea60951696a458a4b3ff3621 2023-11-21
CVE-2025-2704.patch [PATCH] Allow tls-crypt-v2 to be setup only on initial packet of a session

This fixes an internal server error condition that can be triggered by a
malicous authenticated client, a very unlucky corruption of packets in
transit or by an attacker that is able to inject a specially created
packet at the right time and is able to observe the traffic to construct
the packet.

The error condition results in an ASSERT statement being triggered,

under embargo on the security@openvpn.net mailing list, and thus has
no publically available "mailing list discussion before merge" URL.

(cherry picked from commit 82ee2fe4b42d9988c59ae3f83bd56a54d54e8c76)		 Arne Schwabe <arne@rfc2549.org> no 2025-04-01
move_log_dir.patch Set default logdir to /var/log/openvpn https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=553303 Jörg Frings-Fürst <debian@jff-webhosting.net> not-needed debian 2017-10-03
auth-pam_libpam_so_filename.patch Fix libpam.so filename to /lib/libpam.so.0 in pam plugin=================================================================== Alberto Gonzalez Iniesta <agi@inittab.org> no debian
openvpn-pkcs11warn.patch Warn users about deprecated pkcs11 options=================================================================== Florian Kulzer <florian.kulzer+debian@icfo.es> no debian
systemd.patch remove syslog.target Jörg Frings-Fürst <debian@jff.email> no 2018-07-29
fix-dangling-pointer-in-pkcs11.patch [PATCH] Bugfix: dangling pointer passed to pkcs11-helper

(cherry picked from commit f4850745709c5b80ab7d09c03a86c5ceea6d10a2)		 Selva Nair <selva.nair@gmail.com> no 2023-05-09
fix-memleak-in-dco_get_peer_stats_multi.patch [PATCH] DCO: fix memory leak in dco_get_peer_stats_multi for Linux
Leaks a small amount of memory every 15s.

(cherry picked from commit 276f7c86d70666bc2ab4e6192ef5f1dcbd6a230f)		 Frank Lichtenheld <frank@lichtenheld.com> no 2023-05-15
CVE-2023-46849.patch [PATCH] Remove saving initial frame code
This code was necessary before the frame/buffer refactoring as we
always did relative adjustment to the frame.

This also fixes also that previously initial_frame was initialised too
early before the fragment related options were initialised and contained
0 for the maximum frame size. This resulted in a DIV by 0 that caused an
abort on platforms that throw an exception for that.


Only people with --fragment in their config are affected		 Arne Schwabe <arne@rfc2549.org> no 2023-10-19
CVE-2023-46850.patch [PATCH] Fix using to_link buffer after freed
When I refactored the tls_state_change method in
9a7b95fda5 I accidentally changed a break into
a return true while it should return a false.

The code here is extremely fragile in the sense
that it assumes that settings a keystate to S_ERROR
cannot have any outgoing buffer or we will have a
use after free. The previous break and now restored
return false ensure this by skipping any further
tls_process_state loops that might set to ks->S_ERROR
and ensure that the to_link is sent out and cleared
before having more loops in tls_state_change.


This affects everyone, even with tls-auth/tls-crypt enabled.

(cherry picked from commit 57a5cd1e12f193927c9b7429f8778fec7e04c50a)		 Arne Schwabe <arne@rfc2549.org> no 2023-10-27
CVE-2024-28882.patch [PATCH] Only schedule_exit() once
If an exit has already been scheduled we should not schedule it again.
Otherwise, the exit signal is never emitted if the peer reschedules the
exit before the timeout occurs.

schedule_exit() now only takes the context as argument. The signal is
hard coded to SIGTERM, and the interval is read directly from the
context options.

Furthermore, schedule_exit() now returns a bool signifying whether an
exit was scheduled; false if exit is already scheduled. The call sites
are updated accordingly. A notable difference is that management is only
notified *once* when an exit is scheduled - we no longer notify
management on redundant exit.

This patch was assigned a CVE number after already reviewed and ACKed,
because it was discovered that a misbehaving client can use the (now
fixed) server behaviour to avoid being disconnected by means of a
managment interface "client-kill" command - the security issue here is
"client can circumvent security policy set by management interface".

This only affects previously authenticated clients, and only management
client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not
affected.


(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411)		 =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= <reynir@reynir.dk> no 2024-05-16
CVE-2024-5594.patch [PATCH] Properly handle null bytes and invalid characters in control messages

This makes OpenVPN more picky in accepting control message in two aspects:
- Characters are checked in the whole buffer and not until the first
NUL byte
- if the message contains invalid characters, we no longer continue
evaluating a fixed up version of the message but rather stop
processing it completely.

Previously it was possible to get invalid characters to end up in log
files or on a terminal.

This also prepares the logic a bit in the direction of having a proper
framing of control messages separated by null bytes instead of relying
on the TLS framing for that. All OpenVPN implementations write the 0
bytes between control commands.

This patch also include several improvement suggestion from Reynir
(thanks!).



(cherry picked from commit 414f428fa29694090ec4c46b10a8aba419c85659)		 Arne Schwabe <arne@rfc2549.org> no 2024-05-27

All known versions for source package 'openvpn'

Links