Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Antonio Quartulli Tue, 15 Mar 2022 08:06:30 -0700

Hi,

On 13/03/2022 21:07, David Sommerseth wrote:

From: David Sommerseth <[email protected]>


The plug-in API in OpenVPN 2.x is not designed for running multiple
deferred authentication processes in parallel. The authentication
results of such configurations are not to be trusted.  For now we bail
out when this discovered with an error in the log.

CVE: 2022-0547
Signed-off-by: David Sommerseth <[email protected]>


Tested and it does what it says on the lid.

The whole approach requires larger refactoring, but for now this isenough to close the hole.


Acked-by: Antonio Quartulli <[email protected]>



--
Antonio Quartulli


_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH v2.4 v4 2/3] plug-ins: Disallow multiple deferred authentication plug-ins

Reply via email to