diff --git a/CVE-2020-11810.patch b/CVE-2020-11810.patch deleted file mode 100644 index 466cf0c..0000000 --- a/CVE-2020-11810.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 37bc691e7d26ea4eb61a8a434ebd7a9ae76225ab Mon Sep 17 00:00:00 2001 -From: Lev Stipakov -Date: Wed, 15 Apr 2020 10:30:17 +0300 -Subject: [PATCH] Fix illegal client float (CVE-2020-11810) - -There is a time frame between allocating peer-id and initializing data -channel key (which is performed on receiving push request or on async -push-reply) in which the existing peer-id float checks do not work right. - -If a "rogue" data channel packet arrives during that time frame from -another address and with same peer-id, this would cause client to float -to that new address. This is because: - - - tls_pre_decrypt() sets packet length to zero if - data channel key has not been initialized, which leads to - - - openvpn_decrypt() returns true if packet length is zero, - which leads to - - - process_incoming_link_part1() returns true, which - calls multi_process_float(), which commits float - -Note that problem doesn't happen when data channel key is initialized, -since in this case openvpn_decrypt() returns false. - -The net effect of this behaviour is that the VPN session for the -"victim client" is broken. Since the "attacker client" does not have -suitable keys, it can not inject or steal VPN traffic from the other -session. The time window is small and it can not be used to attack -a specific client's session, unless some other way is found to make it -disconnect and reconnect first. - -CVE-2020-11810 has been assigned to acknowledge this risk. - -Fix illegal float by adding buffer length check ("is this packet still -considered valid") before calling multi_process_float(). - -Trac: #1272 -CVE: 2020-11810 - -Signed-off-by: Lev Stipakov -Acked-by: Arne Schwabe -Acked-by: Antonio Quartulli -Acked-by: Gert Doering -Message-Id: <20200415073017.22839-1-lstipakov@gmail.com> -URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg19720.html -Signed-off-by: Gert Doering ---- - src/openvpn/multi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c -index b42bcec97..056e3dc76 100644 ---- a/src/openvpn/multi.c -+++ b/src/openvpn/multi.c -@@ -2577,7 +2577,8 @@ multi_process_incoming_link(struct multi_context *m, struct multi_instance *inst - orig_buf = c->c2.buf.data; - if (process_incoming_link_part1(c, lsi, floated)) - { -- if (floated) -+ /* nonzero length means that we have a valid, decrypted packed */ -+ if (floated && c->c2.buf.len > 0) - { - multi_process_float(m, m->pending); - } diff --git a/CVE-2020-15078.patch b/CVE-2020-15078.patch deleted file mode 100644 index 0fa2007..0000000 --- a/CVE-2020-15078.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 6b03967183591d8a7e619caaf529f7581619326b Mon Sep 17 00:00:00 2001 -From: Arne Schwabe -Date: Tue, 6 Apr 2021 00:05:21 +0200 -Subject: [PATCH] Ensure key state is authenticated before sending push reply - -This ensures that the key state is authenticated when sendinga push reply. ---- - src/openvpn/push.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/src/openvpn/push.c b/src/openvpn/push.c -index dd5bd41..fcdd76b 100644 ---- a/src/openvpn/push.c -+++ b/src/openvpn/push.c -@@ -647,6 +647,7 @@ int - process_incoming_push_request(struct context *c) - { - int ret = PUSH_MSG_ERROR; -+ struct key_state *ks = &c->c2.tls_multi->session[TM_ACTIVE].key[KS_PRIMARY]; - - #ifdef ENABLE_ASYNC_PUSH - c->c2.push_request_received = true; -@@ -657,7 +658,12 @@ process_incoming_push_request(struct context *c) - send_auth_failed(c, client_reason); - ret = PUSH_MSG_AUTH_FAILURE; - } -- else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED) -+ else if (!c->c2.push_reply_deferred && c->c2.context_auth == CAS_SUCCEEDED -+ && ks->authenticated -+ #ifdef ENABLE_DEF_AUTH -+ && !ks->auth_deferred -+ #endif -+ ) - { - time_t now; - --- -2.23.0 - diff --git a/openvpn-2.4.8.tar.gz b/openvpn-2.4.8.tar.gz deleted file mode 100644 index 3d5ce58..0000000 Binary files a/openvpn-2.4.8.tar.gz and /dev/null differ diff --git a/openvpn-2.5.5.tar.gz b/openvpn-2.5.5.tar.gz new file mode 100644 index 0000000..6bbb308 Binary files /dev/null and b/openvpn-2.5.5.tar.gz differ diff --git a/openvpn.spec b/openvpn.spec index 6b10891..95e3bf3 100644 --- a/openvpn.spec +++ b/openvpn.spec @@ -1,12 +1,10 @@ Name: openvpn -Version: 2.4.8 -Release: 6 +Version: 2.5.5 +Release: 1 Summary: A full-featured open source SSL VPN solution -License: GPLv2 and OpenSSL and SSLeay +License: GPL-2.0-or-later and OpenSSL and SSLeay URL: https://community.openvpn.net/openvpn Source0: https://swupdate.openvpn.org/community/releases/openvpn-%{version}.tar.gz -Patch0000: CVE-2020-11810.patch -Patch0001: CVE-2020-15078.patch BuildRequires: openssl-devel lz4-devel systemd-devel lzo-devel gcc BuildRequires: iproute pam-devel pkcs11-helper-devel >= 1.11 @@ -58,7 +56,6 @@ cp -a contrib sample $RPM_BUILD_ROOT%{_pkgdocdir} %check make check - %pre getent group openvpn &>/dev/null || groupadd -r openvpn getent passwd openvpn &>/dev/null || \ @@ -121,8 +118,12 @@ fi %files help %{_pkgdocdir} %{_mandir}/man8/%{name}.8* +%{_mandir}/man5/openvpn-examples.5.gz %changelog +* Wed Dec 29 2021 zhangjiapeng - 2.5.5-1 +- Update to 2.5.5 + * Wed Jun 9 2021 zhaoyao - 2.4.8-6 - fix faileds: /bin/sh: gcc: command not found.