Update to 2.5.5
This commit is contained in:
jpzhang187
parent
e188357f25
commit
3b0457b60f
@ -1,65 +0,0 @@
|
||||
From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001
|
||||
From: Lev Stipakov <lev@openvpn.net>
|
||||
Date: Wed, 15 Apr 2020 10:30:17 +0300
|
||||
Subject: [PATCH] Fix illegal client float (CVE-2020-11810)
|
||||
|
||||
There is a time frame between allocating peer-id and initializing data
|
||||
channel key (which is performed on receiving push request or on async
|
||||
push-reply) in which the existing peer-id float checks do not work right.
|
||||
|
||||
If a "rogue" data channel packet arrives during that time frame from
|
||||
another address and with same peer-id, this would cause client to float
|
||||
to that new address. This is because:
|
||||
|
||||
- tls_pre_decrypt() sets packet length to zero if
|
||||
data channel key has not been initialized, which leads to
|
||||
|
||||
- openvpn_decrypt() returns true if packet length is zero,
|
||||
which leads to
|
||||
|
||||
- process_incoming_link_part1() returns true, which
|
||||
calls multi_process_float(), which commits float
|
||||
|
||||
Note that problem doesn't happen when data channel key is initialized,
|
||||
since in this case openvpn_decrypt() returns false.
|
||||
|
||||
The net effect of this behaviour is that the VPN session for the
|
||||
"victim client" is broken. Since the "attacker client" does not have
|
||||
suitable keys, it can not inject or steal VPN traffic from the other
|
||||
session. The time window is small and it can not be used to attack
|
||||
a specific client's session, unless some other way is found to make it
|
||||
disconnect and reconnect first.
|
||||
|
||||
CVE-2020-11810 has been assigned to acknowledge this risk.
|
||||
|
||||
Fix illegal float by adding buffer length check ("is this packet still
|
||||
considered valid") before calling multi_process_float().
|
||||
|
||||
Trac: #1272
|
||||
CVE: 2020-11810
|
||||
|
||||
Signed-off-by: Lev Stipakov <lev@openvpn.net>
|
||||
Acked-by: Arne Schwabe <arne@rfc2549.org>
|
||||
Acked-by: Antonio Quartulli <antonio@openvpn.net>
|
||||
Acked-by: Gert Doering <gert@greenie.muc.de>
|
||||
Message-Id: <20200415073017.22839-1-lstipakov@gmail.com>
|
||||
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html
|
||||
Signed-off-by: Gert Doering <gert@greenie.muc.de>
|
||||
---
|
||||
src/openvpn/multi.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
|
||||
index b42bcec97..056e3dc76 100644
|
||||
--- a/src/openvpn/multi.c
|
||||
+++ b/src/openvpn/multi.c
|
||||
@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst
|
||||
orig_buf = c->c2.buf.data;
|
||||
if (process_incoming_link_part1(c, lsi, floated))
|
||||
{
|
||||
- if (floated)
|
||||
+ /* nonzero length means that we have a valid, decrypted packed */
|
||||
+ if (floated && c->c2.buf.len > 0)
|
||||
{
|
||||
multi_process_float(m, m->pending);
|
||||
}
|
||||
@ -1,39 +0,0 @@
|
||||
From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001
|
||||
From: Arne Schwabe <arne@rfc2549.org>
|
||||
Date: Tue, 6 Apr 2021 00:05:21 +0200
|
||||
Subject: [PATCH] Ensure key state is authenticated before sending push reply
|
||||
|
||||
This ensures that the key state is authenticated when sendinga push reply.
|
||||
---
|
||||
src/openvpn/push.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/openvpn/push.c b/src/openvpn/push.c
|
||||
index dd5bd41..fcdd76b 100644
|
||||
--- a/src/openvpn/push.c
|
||||
+++ b/src/openvpn/push.c
|
||||
@@ -647,6 +647,7 @@ int
|
||||
process_incoming_push_request(struct context *c)
|
||||
{
|
||||
int ret = PUSH_MSG_ERROR;
|
||||
+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY];
|
||||
|
||||
#ifdef ENABLE_ASYNC_PUSH
|
||||
c->c2.push_request_received = true;
|
||||
@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c)
|
||||
send_auth_failed(c, client_reason);
|
||||
ret = PUSH_MSG_AUTH_FAILURE;
|
||||
}
|
||||
- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED)
|
||||
+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED
|
||||
+ && ks->authenticated
|
||||
+ #ifdef ENABLE_DEF_AUTH
|
||||
+ && !ks->auth_deferred
|
||||
+ #endif
|
||||
+ )
|
||||
{
|
||||
time_t now;
|
||||
|
||||
--
|
||||
2.23.0
|
||||
|
||||
Binary file not shown.
BIN
openvpn-2.5.5.tar.gz
Normal file
BIN
openvpn-2.5.5.tar.gz
Normal file
Binary file not shown.
13
openvpn.spec
13
openvpn.spec
@ -1,12 +1,10 @@
|
||||
Name: openvpn
|
||||
Version: 2.4.8
|
||||
Release: 6
|
||||
Version: 2.5.5
|
||||
Release: 1
|
||||
Summary: A full-featured open source SSL VPN solution
|
||||
License: GPLv2 and OpenSSL and SSLeay
|
||||
License: GPL-2.0-or-later and OpenSSL and SSLeay
|
||||
URL: https://community.openvpn.net/openvpn
|
||||
Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz
|
||||
Patch0000: CVE-2020-11810.patch
|
||||
Patch0001: CVE-2020-15078.patch
|
||||
BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc
|
||||
BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11
|
||||
|
||||
@ -58,7 +56,6 @@ cp -a contrib sample $RPM_BUILD_ROOT%{_pkgdocdir}
|
||||
%check
|
||||
make check
|
||||
|
||||
|
||||
%pre
|
||||
getent group openvpn &>/dev/null || groupadd -r openvpn
|
||||
getent passwd openvpn &>/dev/null || \
|
||||
@ -121,8 +118,12 @@ fi
|
||||
%files help
|
||||
%{_pkgdocdir}
|
||||
%{_mandir}/man8/%{name}.8*
|
||||
%{_mandir}/man5/openvpn-examples.5.gz
|
||||
|
||||
%changelog
|
||||
* Wed Dec 29 2021 zhangjiapeng <zhangjiapeng9@huawei.com> - 2.5.5-1
|
||||
- Update to 2.5.5
|
||||
|
||||
* Wed Jun 9 2021 zhaoyao <zhaoyao32@huawei.com> - 2.4.8-6
|
||||
- fix faileds: /bin/sh: gcc: command not found.
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user