diff --git a/CVE-2024-28882.patch b/CVE-2024-28882.patch deleted file mode 100644 index bb08d2bffde30c72faf4f09d274ba52b477a2eba..0000000000000000000000000000000000000000 --- a/CVE-2024-28882.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 65fb67cd6c320a426567b2922c4282fb8738ba3f Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Reynir=20Bj=C3=B6rnsson?= -Date: Thu, 16 May 2024 13:58:08 +0200 -Subject: [PATCH] Only schedule_exit() once -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -If an exit has already been scheduled we should not schedule it again. -Otherwise, the exit signal is never emitted if the peer reschedules the -exit before the timeout occurs. - -schedule_exit() now only takes the context as argument. The signal is -hard coded to SIGTERM, and the interval is read directly from the -context options. - -Furthermore, schedule_exit() now returns a bool signifying whether an -exit was scheduled; false if exit is already scheduled. The call sites -are updated accordingly. A notable difference is that management is only -notified *once* when an exit is scheduled - we no longer notify -management on redundant exit. - -This patch was assigned a CVE number after already reviewed and ACKed, -because it was discovered that a misbehaving client can use the (now -fixed) server behaviour to avoid being disconnected by means of a -managment interface "client-kill" command - the security issue here is -"client can circumvent security policy set by management interface". - -This only affects previously authenticated clients, and only management -client-kill, so normal renegotion / AUTH_FAIL ("your session ends") is not -affected. - -CVE: 2024-28882 - -Change-Id: I9457f005f4ba970502e6b667d9dc4299a588d661 -Signed-off-by: Reynir Björnsson -Acked-by: Arne Schwabe -Message-Id: <20240516120434.23499-1-gert@greenie.muc.de> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg28679.html -Signed-off-by: Gert Doering -(cherry picked from commit 55bb3260c12bae33b6a8eac73cbb6972f8517411) ---- - src/openvpn/forward.c | 15 +++++++++++---- - src/openvpn/forward.h | 2 +- - src/openvpn/push.c | 12 +++++++----- - 3 files changed, 19 insertions(+), 10 deletions(-) - -diff --git a/src/openvpn/forward.c b/src/openvpn/forward.c -index e9811b9c..29e812ff 100644 ---- a/src/openvpn/forward.c -+++ b/src/openvpn/forward.c -@@ -514,17 +514,24 @@ check_server_poll_timeout(struct context *c) - } - - /* -- * Schedule a signal n_seconds from now. -+ * Schedule a SIGTERM signal c->options.scheduled_exit_interval seconds from now. - */ --void --schedule_exit(struct context *c, const int n_seconds, const int signal) -+bool -+schedule_exit(struct context *c) - { -+ const int n_seconds = c->options.scheduled_exit_interval; -+ /* don't reschedule if already scheduled. */ -+ if (event_timeout_defined(&c->c2.scheduled_exit)) -+ { -+ return false; -+ } - tls_set_single_session(c->c2.tls_multi); - update_time(); - reset_coarse_timers(c); - event_timeout_init(&c->c2.scheduled_exit, n_seconds, now); -- c->c2.scheduled_exit_signal = signal; -+ c->c2.scheduled_exit_signal = SIGTERM; - msg(D_SCHED_EXIT, "Delayed exit in %d seconds", n_seconds); -+ return true; - } - - /* -diff --git a/src/openvpn/forward.h b/src/openvpn/forward.h -index 060fc374..245a8029 100644 ---- a/src/openvpn/forward.h -+++ b/src/openvpn/forward.h -@@ -302,7 +302,7 @@ void reschedule_multi_process(struct context *c); - - void process_ip_header(struct context *c, unsigned int flags, struct buffer *buf); - --void schedule_exit(struct context *c, const int n_seconds, const int signal); -+bool schedule_exit(struct context *c); - - static inline struct link_socket_info * - get_link_socket_info(struct context *c) -diff --git a/src/openvpn/push.c b/src/openvpn/push.c -index 1b406b9c..d220eeb9 100644 ---- a/src/openvpn/push.c -+++ b/src/openvpn/push.c -@@ -204,7 +204,11 @@ receive_exit_message(struct context *c) - * */ - if (c->options.mode == MODE_SERVER) - { -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -+ if (!schedule_exit(c)) -+ { -+ /* Return early when we don't need to notify management */ -+ return; -+ } - } - else - { -@@ -391,7 +395,7 @@ __attribute__ ((format(__printf__, 4, 5))) - void - send_auth_failed(struct context *c, const char *client_reason) - { -- if (event_timeout_defined(&c->c2.scheduled_exit)) -+ if (!schedule_exit(c)) - { - msg(D_TLS_DEBUG, "exit already scheduled for context"); - return; -@@ -401,8 +405,6 @@ send_auth_failed(struct context *c, const char *client_reason) - static const char auth_failed[] = "AUTH_FAILED"; - size_t len; - -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -- - len = (client_reason ? strlen(client_reason)+1 : 0) + sizeof(auth_failed); - if (len > PUSH_BUNDLE_SIZE) - { -@@ -492,7 +494,7 @@ send_auth_pending_messages(struct tls_multi *tls_multi, - void - send_restart(struct context *c, const char *kill_msg) - { -- schedule_exit(c, c->options.scheduled_exit_interval, SIGTERM); -+ schedule_exit(c); - send_control_channel_string(c, kill_msg ? kill_msg : "RESTART", D_PUSH); - } - --- -2.20.1 - diff --git a/openvpn-2.6.11.tar.gz b/openvpn-2.6.11.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..1c5cb887e4538fb7a5d5395d650d3cc06c499bea Binary files /dev/null and b/openvpn-2.6.11.tar.gz differ diff --git a/openvpn-2.6.9.tar.gz b/openvpn-2.6.9.tar.gz deleted file mode 100644 index 00d8fa0d3d8df273fed758148368b20747a38226..0000000000000000000000000000000000000000 Binary files a/openvpn-2.6.9.tar.gz and /dev/null differ diff --git a/openvpn.spec b/openvpn.spec index c230f9c27eb77041060c334c0e440110a1dd588f..351a9513f829e4fe4b2eee1cb34bd7a394c3aa5d 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,12 +1,11 @@ Name: openvpn -Version: 2.6.9 -Release: 2 +Version: 2.6.11 +Release: 1 Summary: A full-featured open source SSL VPN solution License: GPL-2.0-or-later and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://build.openvpn.net/downloads/releases/%{name}-%{version}.tar.gz Patch0: openvpn-2.4-change-tmpfiles-permissions.patch -Patch1: CVE-2024-28882.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 BuildRequires: libselinux-devel @@ -125,6 +124,16 @@ fi %{_mandir}/man5/openvpn-examples.5.gz %changelog +* Wed Jul 10 2024 yaoxin - 2.6.11-1 +- Update to 2.6.11 +- Security fixes: + * CVE-2024-4877: Windows: harden interactive service pipe. + * CVE-2024-5594: control channel: refuse control channel messages with nonprintable characters in them. + * CVE-2024-28882: only call schedule_exit() once (on a given peer). +- Bug fixes: + * Fix connect timeout when using SOCKS proxies + * Add bracket in fingerprint message and do not warn about missing verification + * Tue Jul 09 2024 zhangxianting - 2.6.9-2 - Fix CVE-2024-28882