- Update to Node 20 versions of actions to avoid warnings
- Update to current vcpkg
- Update mbedTLS and LibreSSL to latest releases
Change-Id: I1ad6a0b1323ce0872f4a3299c5a9f18a982e0126
Signed-off-by: Frank Lichtenheld
Acked-by: Arne Schwabe
---
This change was reviewed on Gerrit and approved
Currently, there's a risk associated with allowing plugins to be loaded
from any location. This update ensures plugins are only loaded from a
trusted directory, which is either:
- HKLM\SOFTWARE\OpenVPN\plugin_dir (or if the key is missing,
then HKLM\SOFTWARE\OpenVPN, which is installation
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we
cron2 has uploaded a new patch set (#2) to the change originally created by
flichtenheld. ( http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by plaisthos
Change subject: GHA: general update March 2024
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )
Change subject: GHA: general update March 2024
..
GHA: general update March 2024
- Update to Node 20 versions of actions to avoid
Tested on my GH repo. Works (except as noted for ubuntu/ASAN).
Your patch has been applied to the master and release/2.6 branch.
(Two merge conflicts, one related to "there is no checkout for
mingw-unittests in 2.6 (yet)" and one to "no mbedtls3 tests")
commit
When reading message from the pipe, we first peek the pipe to get the size
of the message waiting to be read and then read the message. A compromised
OpenVPN process could send an excessively large message, which would result
in a stack-allocated message buffer overflow.
To address this, we
Attention is currently required from: flichtenheld.
plaisthos has posted comments on this change. (
http://gerrit.openvpn.net/c/openvpn/+/544?usp=email )
Change subject: GHA: general update March 2024
..
Patch Set 1:
Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged
Thanks for that.
This patch was sent "with ACK included" to the openvpn-devel@ list because
it was developed under embargo (CVE), and reviewed and ACKed in a closed
group. I have verified that this patch is identical to the "v4 one" that
Selva and the original reporter saw and ACKed.
This is
Remote access to the service pipe is not needed and might
be a potential attack vector.
For example, if an attacker manages to get credentials for
a user which is the member of "OpenVPN Administrators" group
on a victim machine, an attacker might be able to communicate
with the privileged
As for the "plugin loading", this patch was sent "with ACK included" to
the openvpn-devel@ list because it was developed under embargo (CVE),
and reviewed and ACKed in a closed group. I have verified that this
patch is identical to the that Heiko and the original reporter saw and
ACKed.
It's not
cron2 has submitted this change. (
http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )
Change subject: Disable DCO if proxy is set via management
..
Disable DCO if proxy is set via management
Commit
45a1cb2a ("Disable
cron2 has uploaded a new patch set (#2) to the change originally created by
stipa. ( http://gerrit.openvpn.net/c/openvpn/+/543?usp=email )
The following approvals got outdated and were removed:
Code-Review+2 by flichtenheld
Change subject: Disable DCO if proxy is set via management
As for the two previous windows/CVE patches, this patch was sent "with
ACK included" to the openvpn-devel@ list because it was developed under
embargo (CVE), and reviewed and ACKed in a closed group. I have verified
that this patch is identical to the "v2" version that Heiko and the original
As for the two previous windows/CVE patches, this patch was sent "with
ACK included" to the openvpn-devel@ list because it was developed under
embargo (CVE), and reviewed and ACKed in a closed group. I have verified
that this patch is identical to the "v2" version that Heiko and the original
Straight and to the point :-)
Minimally tested with a linux t_client setup that uses DCO and proxy (but
no --managment-query-proxy).
Your patch has been applied to the master and release/2.6 branch (bugfix).
commit fd6b8395f6cee8a6c28f335ec25ed6db11f7 (master)
commit
17 matches
Mail list logo
