Package: openvpn Version: 2.3.4-5 Severity: normal Dear Maintainer,
According to the upstream bug tracker, versions of openvpn prior to OpenVPN 2.3.5 are subject to segfault when they try to use some special ciphers offered by new versions of OpenSSL (https://community.openvpn.net/openvpn/ticket/471) Some new ciphers offered by OpenSSL need access to a new API that is not to be implemented until 2.4.0. So, please, consider applying this upstream commit to the debian package: commit deff485f85e0eb9502f1ed2cdda2dd41a429fe58 Author: Steffan Karger <steffan@…> Date: Sun Jun 8 18:16:13 2014 +0200 Add proper check for crypto modes (CBC or OFB/CFB) OpenSSL has added AEAD-CBC mode ciphers like AES-128-CBC-HMAC-SHA1, which have mode EVP_CIPH_CBC_MODE, but require a different API (the AEAD API). So, add extra checks to filter out those AEAD-mode ciphers. Problem is current version list these ciphers as available, and will segfault when you try to use them. Obvious workaround if to not use those cipher modes. -- System Information: Debian Release: 8.0 APT prefers stable APT policy: (500, 'stable'), (100, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=es_ES.UTF-8, LC_CTYPE=es_ES.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: systemd (via /run/systemd/system) Versions of packages openvpn depends on: ii debconf [debconf-2.0] 1.5.56 ii init-system-helpers 1.22 ii initscripts 2.88dsf-59 ii iproute2 3.16.0-2 ii libc6 2.19-17 ii liblzo2-2 2.08-1.2 ii libpam0g 1.1.8-3.1 ii libpkcs11-helper1 1.11-2 ii libssl1.0.0 1.0.1k-3 Versions of packages openvpn recommends: ii easy-rsa 2.2.2-1 Versions of packages openvpn suggests: ii openssl 1.0.1k-3 pn resolvconf <none> -- Configuration Files: /etc/default/openvpn changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
